Skip to main content

REF2021 IMPACT CASE STUDY: Resolution of Multiple Critical Design Flaws in Bluetooth Standard

Posted:

Bluetooth is an essential part of the electronic devices used daily across the world. This research project uncovered critical flaws in Bluetooth systems, leading to changes to its core technology and urgent modifications by industry leaders such as Intel, Microsoft, Apple, Cisco, Google, and Huawei. 

Secure communication between two devices requires a secure channel, which includes verifying the identity of each party. If a secure channel is not properly established, a malicious party can steal private information or forge data and commands, e.g., a vehicle can be unlocked and driven away, mobile phone data leaked, or a home-security system deactivated. 

The research, led by Professor Kasper Rasmussen, demonstrated how Bluetooth sessions can be compromised, and attackers can circumvent protections. This triggered a major effort by the world’s technology giants to remedy the vulnerabilities before they were published and potentially misused. Subsequent changes to core Bluetooth technology, and the Bluetooth standard, prevented significant harm to manufacturers and to consumers across the world using Bluetooth-enabled devices.  

This work exposing critical failures in Bluetooth technology has been instrumental in advancing the protection of electronic devices. It has benefitted manufacturers and consumers across the globe, while contributing to the continued development of more secure communication systems used by billions of devices worldwide. Professor Kasper Rasmussen

The impact 

Approximately 5 billion Bluetooth devices are shipped annually, and this research has helped protect the security and privacy of a substantial proportion of the world’s population. It exposed critical failures in Bluetooth security, allowing manufacturers and users to make informed choices and significantly influencing the future development of commercial communication systems.  

The research team’s coordinated disclosure process, which allowed the risks to be mitigated before they could be abused, prevented harm and damage from security breaches. Most major vendors released patches immediately: Microsoft for Windows; Apple for macOS, iOS, and watchOS; Google for Android; Cisco for IP phones and Webex; Huawei for Android phones; and BlackBerry for Android-powered devices. Patches were also made available for popular Linux distributions.  

Though difficult to precisely quantify the investment or economic savings triggered by remedying these Bluetooth vulnerabilities, costs to remedy large scale attacks or bugs are notoriously high. The work of the research team will continue to have an industry-wide impact in the future, protecting many millions of Bluetooth users from malicious attacks and associated harm. 

Find out more 

The full REF submission is available in this PDF.