When the FBI tells politicians, lawmakers and national security executives how to protect themselves from spies, trolls and adversaries, one of its most common pieces of advice is also the most annoying: Whenever possible, even when you’re at home, don’t use Bluetooth wireless devices to connect to your phone, tablet or computer. Use headsets with a cord instead.
Vice President Kamala Harris, to her credit, is the rare political figure who took her security briefings seriously.
If you’ve transitioned to wireless earbuds, it’s a hard habit to break. But Vice President Kamala Harris, to her credit, is the rare political figure who took her security briefings seriously. And for that, along with a bit of digital incompetence from people who cover her, she’s become the subject of ridicule. The premise is that she’s paranoid. The subtext is that she pays attention to insignificant problems. The unspoken conviction: She just isn’t with it. How neatly this fits into a meta-narrative: Harris in over her head, her office in crisis, her political prospects dwindling, her mien angry, her instincts just bad.
This is all wrong. It is refreshing to see a vice president who takes seriously her obligation to protect sensitive and classified information, in contrast to a former president whose preposterously indolent digital habits were joined by his penchant for disclosing highly classified intelligence to the Russians.
I help journalists and communicators assess the security risk of their communications. For the most part, so long as you keep your work content off your personal devices and aren’t a target of a foreign commercial entity, government or competitor, you can use Bluetooth devices without worrying too much. But if you work at a big company that claims billions of dollars worth of intellectual property, or for the government, or if you’re a journalist poking at bears, you might want to learn more about Bluetooth’s technological architecture before you connect another device to your phone, tablet or computer.
Bluetooth is a proprietary engineering standard designed by a company that allows one device to transmit data across short distances to another without the need for a secondary communications network, such as Wifi. Technology companies such as Intel, Texas Instruments and Qualcomm contract with Bluetooth and use the standard to make unique chipsets, which are then built into your favorite gear. It is ingenious and world-changing and, like innovations tend to be, greatly increases the efficiency of a device’s interaction with another, reducing the costs, both tangible and psychological, for the end user. It is also, like every human-designed standard, fraught with vulnerabilities. That’s one reason why Bluetooth standards evolve quickly; holes are found and patched.
The security of a particular Bluetooth pairing depends upon the software that translates its capabilities into connections. Think of it this way: Your wireless earbuds connect to your phone; your phone’s software and the software used by the earbuds are different, even if they’re made by the same company. That’s two separate software programs. Then, notice how many different things you can control from your phone: speakers, lights, refrigerators, watches, pet food dispensers. Each uses Bluetooth differently; the software was written by different humans for different purposes.
The latest Bluetooth protocol, BLE, for Bluetooth Low Energy, is in most of the latest devices. The low energy part is great; it means enabling Bluetooth won’t suck a lot of battery power. But the BLE protocol is also pretty powerful: Once you’ve paired two devices, they can remain connected while in a 100 meter radius – roughly three football fields stretching out in every direction. An adversary who breaks into your Bluetooth device – your earbuds – could use them as an intermediary to insert malware onto your “home” device – your phone – without you knowing it. Eavesdropping is not uncommon; you can secure your voice and data between a cell tower and your cellphone, but most Bluetooth devices don’t have their own encryption systems, which means that someone who can tap into your device will see or hear exactly what you’re seeing and hearing.
We know the U.S. government has this ability. And the U.S. government knows its adversaries do, too.
“A person can walk into a [Sensitive Compartmented Information Facility] wearing an Apple Watch and it can be paired to their iPhone in the car,” Bob Gourley, the founder of OODA LLC and a former CIO of the Defense Intelligence Agency, wrote to me. “It is not only government leaders that should evaluate their threat models regarding wireless devices. Any enterprise that uses Bluetooth devices (which can include wireless keyboards or other devices) should evaluate whether those devices can be exploited by adversaries.”
How can you reduce your threat profile? Short of giving up on Bluetooth entirely, you can learn to use it wisely and turn it off when you don’t need it. As for Harris, though, “It’s a smart risk assessment,” Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, told me.
The convenience isn’t worth the risk.
Here’s a suggestion: As Harris is genuinely and appropriately concerned about her own cyber competence and risk, why can’t she be the face of the Biden administration’s comprehensive cyber reboot? It might help reboot her image in more ways than one.