Actually, Kamala Is Right. Bluetooth Is a Risk

A report that Vice President Kamala Harris is so “Bluetooth-phobic” that she avoids using wireless headphones ignited a snark-a-thon on social media on Monday, but digital security experts—and the U.S. government itself—say that the potential risks of the ubiquitous wireless connection is far from funny.

The piece, published in Politico’s West Wing Playbook, dismissively portrays Harris as having a “feeling” that Bluetooth has security issues— "But still, should someone who travels with the nuclear football be spending time untangling her headphone wires? The American people deserve answers!”—but Bluetooth security issues have been well-documented and known for years. In fact, according to those familiar with digital security, it’s actually extremely prudent that Harris may be reluctant to rely on Bluetooth since the technology is notoriously insecure, and cell phones determine a user’s location through a combination of GPS, Bluetooth, and wireless signals.

The U.S. government, via guidance from the National Security Agency’s defensive cybersecurity branch, recommended last year that if users want to avoid the risk of data exposure seeping out to unwanted eavesdroppers, they ought to disable Bluetooth altogether, according to an agency document.

Members of the current slate of State Department nominees, ranging from would-be assistant secretaries to potential ambassadors, have also been warned about Bluetooth’s potential fallibility from a security perspective. In briefings conducted by security engineering officers with the U.S. Foreign Service, nominees are told that an open Bluetooth connection—like one used for wireless earbuds—can be a “cracked window” for potential digital incursion into their devices, allowing physical tracking of the device as well as potential access to its data, according to those who have participated in the briefings.

Even if users turn off cellular service—read that again—Bluetooth can still be used to identify a user’s location, the NSA warned.

It can also be used to track a user's every move, or even understand a pattern of their movements and daily routines to predict future movements. Bad actors could also use equipment known as “sniffers” to calculate users’ location through Bluetooth and Wi-Fi, even if cellular service is turned off, according to the agency.

In 2019, cybersecurity researchers demonstrated an attack on the communications protocol that allowed attackers to weaken the encryption used in Bluetooth and “intercept keystrokes, address books, and other sensitive data,” according to the U.K.’s National Cyber Security Center.

In another particularly alarming case, cybersecurity researchers last year found that exploiting vulnerable Bluetooth protocols allowed an attacker to steal targets’ contacts, call logs, and messages, and could allow them to send fake text messages from targets’ phones. In another case, a researcher at TU Darmstadt, a university in Germany, found that if a hacker is nearby, they could use a software exploit to break in, and take advantage of a protocol that specifically is used to stream music.

For most, it’s less likely they’ll be targeted and might not be practical to disable Bluetooth. But given Harris’ threat model—meaning the likelihood she’s a target for surveillance or hacking—as the Vice President of the United States, or even in her past life as a senator serving on the Senate Intelligence Committee, which regularly receives classified briefings, it absolutely makes sense.

“It’s a fine protocol for almost everyone, even with vulnerabilities because it requires reasonably close access to exploit it along with an actor who has both the capability and intent to do so,” said Sergio Caltagirone, a former NSA threat intelligence analyst. “That means only a few thousand people out of the billions on earth need to worry about this problem. The US Vice President and other USG executives are amongst those people.”

Some government employees, particularly those who work in counterintelligence, have been warned to avoid carrying unprotected personal electronic devices through some international airports, particularly in countries whose foreign ministries are thought to be willing to work with Chinese or Russian intelligence agencies.

One person familiar with the briefings noted that while security for government-provided devices is handled by security officers, security for personal devices is left up to the protectee’s own judgment. Several potential principals have, in turn, started wearing corded headphones and turning off their Bluetooth connections in public spaces.

Harris’ famous run last November where she used headphones with wires—the one where she found out she and Joe Biden had won the election—doesn’t seem so silly now, does it?