Bluetooth Passkeys: Are They Secure?

TL;DR

Bluetooth passkeys are generally more secure than older PIN methods, but their security depends on how they’re implemented and used. A simple 6-digit passkey isn’t foolproof. Look for devices supporting Numeric Comparison (NC) or Out-of-Band (OOB) pairing for stronger protection.

Understanding Bluetooth Pairing Methods

Bluetooth devices need to pair before they can communicate. Different methods offer varying levels of security:

• PIN Entry: The oldest method, and least secure. Vulnerable to man-in-the-middle attacks.
• Passkey Entry: Displays a 6-digit number on both devices that you confirm match. Better than PINs but still susceptible to shoulder surfing or keylogging if the device has a compromised interface.
• Numeric Comparison (NC): Both devices display a number, and you verify they are the same. This is much more secure as it doesn’t require typing.
• Out-of-Band (OOB) Pairing: Uses another channel (like NFC or a companion app) to exchange pairing information securely. The most secure method.

Is a 6-Digit Passkey Enough?

Not always. Here’s why:

• Limited Combinations: A 6-digit passkey has only 1,000,000 possible combinations. This is relatively easy to brute-force in a targeted attack.
• Shoulder Surfing: Someone watching you enter the passkey can easily compromise it.
• Keylogging/Malware: If your device is infected with malware, it could intercept the passkey before you confirm it.

Steps to Improve Bluetooth Security

1. Check Pairing Method: When pairing a new device, see what method is offered. Prioritise Numeric Comparison (NC) or Out-of-Band (OOB) if available. The phone/device should tell you which method it’s using during the process.
2. Verify Displayed Numbers (for NC): Carefully compare the numbers displayed on both devices before confirming. Don’t rush!
3. Use a Companion App (for OOB): If pairing via an app, ensure the app is from a trusted source and has good security reviews.
4. Keep Devices Updated: Manufacturers often release updates that improve Bluetooth security. Make sure your devices have the latest software installed.
5. Be Aware of Your Surroundings: Avoid pairing sensitive devices in public places where someone could shoulder surf.
6. Disable Pairing Mode When Not In Use: Leaving Bluetooth in pairing mode makes it easier for attackers to connect. Turn it off when you’re not actively connecting a device. On Android, go to Settings > Connected devices > Connection preferences > Bluetooth and toggle ‘Visible to nearby devices’ off after pairing.
7. Consider Device Security: The security of the Bluetooth connection is only as strong as the weakest link. Ensure your devices have strong passwords/biometrics and are protected against malware.

Checking Bluetooth Version

Bluetooth 5 offers improvements in speed, range, and broadcasting capabilities but doesn’t automatically guarantee security. The pairing method is more important.

To check your device’s Bluetooth version:

• Android: Settings > About phone > Software information > Bluetooth.
• iOS: Settings > General > About > Model Name and Version (Bluetooth version is listed here).

Advanced Users – Bluetooth Tools

For more technical users, tools like bluetoothctl on Linux can be used to inspect Bluetooth connections. However, these require a good understanding of Bluetooth protocols.

bluetoothctl show 

This command will display information about the connected device, including supported features and security settings.