Back to Home11/2/2025, 6:06:15 PM

Is Your Bluetooth Chip Leaking Secrets via RF Signals?

transpute
150 points
37 comments

Mood

heated

Sentiment

negative

Category

tech

Key topics

Bluetooth security

side channel attacks

wireless technology

Debate intensity80/100

A research reveals that Bluetooth chips are leaking secrets via RF signals, sparking a discussion on the security concerns and limitations of Bluetooth technology.

Snapshot generated from the HN discussion

Discussion Activity

Very active discussion

First comment

2h

Peak period

33

Day 1

Avg / period

9.3

Comment distribution37 data points

Based on 37 loaded comments

Key moments

  1. 01Story posted

    11/2/2025, 6:06:15 PM

    16d ago

    Step 01
  2. 02First comment

    11/2/2025, 8:16:15 PM

    2h after posting

    Step 02
  3. 03Peak activity

    33 comments in Day 1

    Hottest window of the conversation

    Step 03
  4. 04Latest activity

    11/7/2025, 2:21:26 PM

    11d ago

    Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (37 comments)
Showing 37 comments
vardump
16d ago
2 replies
A side channel attack revealing AES key from just 90,000 traces.

Sigh, side channel attacks seem to be everywhere now.

sitzkrieg
16d ago
1 reply
people are finally aware everything leaks, it's just a matter of how closely you look
boulevard
16d ago
2 replies
Everything leaks if you stare at it long enough
formerly_proven
16d ago
1 reply
There's a lot of signal left between you and the noise floor!
namibj
16d ago
Worse: noise floor is a matter of definition.
czbond
16d ago
Everything has data exhaust.... the exhaust type just differs.
barbegal
16d ago
2 replies
That 90,000 traces did take 225 hours to capture so it is truly a huge amount of data and not a trivial attack.
karlgkk
16d ago
1 reply
On the other hand, I’d argue that it’s close enough to trivial to be considered trivial. How many embedded devices transmit sensitive information?

Now, I know that pretty much every Bluetooth based credit card reading device explicitly defends against a channel such as this, but there are tons of access control solutions, and medical devices that don’t

Would you notice a raspberry pi tucked into the mess of wires beneath the security guard guards desk?

throwaway89201
16d ago
> How many embedded devices transmit sensitive information?

Every Zigbee device uses AES keys to secure the network, although the security of the protocol is pretty weak in most deployments, especially when new devices join the network. Leaking the network key would provide access to the entire network. The ARM Cortex-M4 is often used, which the side-channel attack in the article is about.

kragen
16d ago
1 reply
That's less than two weeks.
userbinator
16d ago
1 reply
For one key, assuming it does not change within that time.
ghostpepper
14d ago
and assuming the protocol needs to continuously transmit for weeks at a time
3abiton
16d ago
1 reply
I read the abstract, while not familiar with the topic, how would we go about limiting the inpact?
Retr0id
16d ago
Rotating keys frequently would probably help. But the best thing to do is use implementations that are less leaky in the first place (which is easier said than done).
ryukoposting
16d ago
3 replies
As someone who finally recently escaped bluetooth firmware development: yes, Bluetooth is leaking secrets and it doesn't even require any silly RF shenanigans. Almost nothing actually implements LESC. Apple refuses to implement OOB pairing, so no peripherals can force you to use it, so everything is subject to MITM attacks. The entire ecosystem is a mess of consultants and underpaid devs copy-pasting Nordic sample code, with no time or financial incentive to do more than the bare minumum. Never trust any product that moves sensitive data through Bluetooth.
matthewdgreen
16d ago
3 replies
Apple claims to have implemented an entire second security level for their Bluetooth apps based on iMessage, but I trust it not at all.

(To be clear, I trust the iMessage protocol with reasonable confidence. I judge the probability that Apple has applied this extra layer of security uniformly to all sensitive data to be about 8%.)

ggm
16d ago
1 reply
8.75% surely? you need at least two digits of specious precision on that non-random number.
cozzyd
15d ago
More likely 8.333% I would think (1/12). The same probability of a broken clock yielding the correct hour.
hulitu
16d ago
> Apple claims to have implemented an entire second security level for their Bluetooth apps based on iMessage,

iMessage... the golden standard for 1click RCE. /s

cozzyd
16d ago
Text written with a non-apple Bluetooth keyboard is green?
SXX
16d ago
2 replies
Just curious if it that insecure how does Magic Keyboard with Touch ID works? Does it use some apple proprietary "magic"?
makeitdouble
16d ago
> "magic"

They're on an proprietary extension of Bluetooth, standard compatible but closed to their devices. They usually don't talk much about it, Phil Schiller was the most explicit I think (it was about the airpod's W1 but it's the same deal)

https://www.theverge.com/2016/9/7/12829190/apple-w1-chip-iph...

> Apple’s Phil Schiller described Apple’s move to a new wireless chip as “fixing the challenges” of wireless audio

ryukoposting
16d ago
The short answer is yes, it's proprietary shenanigans. Apple likes security for Apple peripherals connected to Apple iPhones, and they consciously undermine security of anything else.
9029
16d ago
1 reply
Do you have an opinion on the keyboard firmware ZMK? They seem to use LESC but MITM during pairing is still a concern: https://zmk.dev/docs/features/bluetooth
ryukoposting
16d ago
3 replies
It's a keyboard, I wouldn't fret about it. The idea that someone is going to steal your keystrokes to get your passwords is pretty moustache-twirly.

I'm more concerned about card readers, medical devices, etc.

imglorp
15d ago
1 reply
Isn't this kind of thing a trinket at Defcon these days like the pineapple thing, or even a Flipper plugin? Ie not super hard to get and not so much mustache.
ryukoposting
15d ago
The problem isn't the technology, it's all the surrounding logistics and incentives. Why hack a thing that few people use, and that you must collect data from for several minutes/hours/days, when you could hack something equally insecure that more people use, and provides more valuable data in less time?
wongarsu
16d ago
I think we can safely assume that a device that does that for entire offices at once is in the NSA's current ANT catalog. And other state actors are probably not far behind

The only thing making these kinds of attacks unattractive is that most companies are too stingy to buy anything better than a cheap wired Logitech keyboard

amitprayal
14d ago
moustache-twirly implying highly improbable?
voidUpdate
16d ago
3 replies
I really think we need a modern replacement to bluetooth, something that doesn't have weird behaviour with headphones, is more secure and doesn't have weird connection issues all the time, and is as ubiquitous as bluetooth is now. I know it will never happen, but I can only hope
zwirbl
16d ago
1 reply
I guess that's where Bluetooth LE and LE Audio should come in, but it's coming along very slowly or not at all in Apples case. Or maybe it is, they don't talk about it
abdullahkhalids
15d ago
1 reply
If I am reading this [1] correctly, regular Bluetooth >5.0 offers transfer speeds of 50Mbits/sec, while Bluetooth LE offers 2Mbits/sec. Does Bluetooth LE even solve fundamental problems like high quality bidirectional audio?

[1] https://en.wikipedia.org/wiki/Bluetooth#Specifications_and_f...

zwirbl
15d ago
I never knew about the 50Mbaud figure, is anything above 10M even achievable in a real world scenario?

It does solve this by having a different topology. It supports a configurable number of streams in each direction, so at least in theory 5.2 surround with a stereo microphone should be possible, we'll see if it's usable

It also supports what is often called 'true wireless' earbuds by default, as each audio sink can stream only the channel it's interested in.

Finally there's all that broadcasting stuff, which works fine in our tests most of the time but also with a myriad of issues, some of them in the spec, others in the Android implementation, which is currently the de facto target to support

Neywiny
11d ago
Well what's interesting to me is that Logitech has their wireless dongle and wireless gaming headphones (which need lower latency) have theirs. These have existed for how many decades? Surely there's a way to just standardize this. And it shouldn't need to be long range. Just a few meters to the tv or something.
imglorp
15d ago
Yes please, immediately.

It's been so terribly bad since it came out. You know it's bad when there's even an xkcd about it: this one is from 5 years ago, joking about 10 years before that. https://xkcd.com/2055/

Verdex
16d ago
Time for everyone to implement some variation of https://www.bluetooth.com/specifications/specs/authorization... ?
pcdoodle
15d ago
It still leaks when you turn bluetooth off in "control center". Last time i checked you're broadcasting an unchanging uuid that only changes every 12 hours or so. It's gross.
View full discussion on Hacker News
ID: 45792166Type: storyLast synced: 11/19/2025, 12:54:09 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Read ArticleView on HN