/image%2F8357444%2F20250531%2Fob_e5372f_safitexpers.jpeg)
/image%2F7127247%2F20251005%2Fob_e75266_bluetooth-technology.jpg)
Explore Bluetooth 6.0 in 2025: Channel Sounding, Precision Tracking, advanced security and best practices.
Bluetooth 6.0 in 2025: Features, Security & Technical Fundamentals
Table of Contents
Introduction: Why this guide now?
SafeITExperts presents its new Bluetooth 2025 Guide Series, your roadmap to master everything from fundamentals to advanced use cases! Bluetooth is evolving with version 6.0 (Channel Sounding, Precision Tracking) and faces critical vulnerabilities like the 2025 Airoha CVEs. Understanding these changes is now essential.
In the first article, dive into Bluetooth 6.0: history, principles, 2025 innovations, and top security practices. Stay tuned for upcoming installments:
- Article 2 – Windows diagnostics and troubleshooting
- Article 3 – macOS & Linux configuration and fixes
- Article 4 – Buying guide for adapters, headsets, and speakers
- Article 5 – Pro use cases: gaming, IoT, multiroom, and more
Don’t miss out: each article gives you the keys to optimize, secure, and fully leverage Bluetooth in 2025.
Bluetooth History: From 1.0 to 6.0, a Remarkable Evolution
Bluetooth takes its name from Harald I of Denmark, nicknamed "Bluetooth" (blue tooth), a 10th-century Viking king who unified Denmark and Norway. This symbolic choice reflects the technology's ambition: to unify electronic devices in a universal communication standard.
Summary Table: 25 Years of Bluetooth Evolution
| Version | Year | Max Speed | Range | Major Innovation |
|---|---|---|---|---|
| 1.0 | 1999 | 721 kbit/s | ~10m | First standard (interoperability issues) |
| 1.1 | 2002 | 721 kbit/s | ~10m | Major defect corrections, usable standard |
| 1.2 | 2003 | 1 Mbit/s | ~10m | AFH (Adaptive Frequency Hopping) - Wi-Fi coexistence |
| 2.0 + EDR | 2004 | 3 Mbit/s | ~10m | Enhanced Data Rate - quality audio streaming |
| 2.1 | 2007 | 3 Mbit/s | ~10m | Secure Simple Pairing (SSP) - simplified pairing |
| 3.0 + HS | 2009 | 24 Mbit/s* | ~10m | High Speed via Wi-Fi (limited success) |
| 4.0 | 2010 | 1 Mbit/s (BLE) | ~50m | BLE Revolution - ultra-low consumption for IoT |
| 4.1 | 2013 | 1 Mbit/s (BLE) | ~50m | Improved LTE coexistence, flexible central/peripheral role |
| 4.2 | 2014 | 1 Mbit/s (BLE) | ~50m | IPv6, 10x larger BLE packets (251 bytes) |
| 5.0 | 2016 | 2 Mbit/s (BLE) | ~240m | 4x range, 2x speed, 8x broadcast |
| 5.1 | 2019 | 2 Mbit/s | ~240m | Direction Finding - centimeter-level positioning |
| 5.2 | 2020 | 2 Mbit/s | ~240m | LE Audio (LC3 codec), Multi-Stream Audio |
| 5.3 | 2021 | 2 Mbit/s | ~240m | Improved energy efficiency, more reliable connections |
| 5.4 | 2023 | 2 Mbit/s | ~240m | Encrypted Advertising Data, LE Audio optimization |
| 6.0 | 2024 | 2 Mbit/s | ~240m | Channel Sounding - secure distance measurement |
*Via Wi-Fi for High Speed, standard Bluetooth for pairing
Key Evolutionary Milestones
| Period | Theme | Key Versions | Major Advances | Impact |
|---|---|---|---|---|
| 1999-2004 | The foundations | 1.0 → 2.0 + EDR | • Speed: 721 kbit/s → 3 Mbit/s • AFH (Wi-Fi coexistence) • Interoperability correction | Technical foundations established. Viable audio streaming for wireless headsets. |
| 2010 | BLE Revolution | 4.0 | • Bluetooth Low Energy • Consumption ÷100 • Multi-year battery autonomy | IoT explosion, beacons, wearables. Two protocols coexist: Classic (throughput) and BLE (efficiency). |
| 2016-2020 | Era of maturity | 5.0 → 5.2 | • 4x range (240m) • 2x speed (2 Mbit/s) • Direction Finding (cm precision) • LE Audio + LC3 codec | Massive IoT/home automation applications. Precise indoor navigation. Multi-user shared audio. |
| 2023-2025 | Security & precision | 5.4 → 6.0 | • Encrypted Advertising Data • Channel Sounding • Secure distance measurement | Elimination of relay attacks. Protection of digital keys and connected locks. |
Operating Principles: Understanding the Technology
Bluetooth Frequencies and Transmission
Bluetooth uses the ISM 2.4 GHz frequency band (2.4 to 2.4835 GHz), free to use without license. This band is shared between:
- 79 channels for Bluetooth Classic
- 40 channels for Bluetooth Low Energy (BLE)
Anti-interference: FHSS Technique
To avoid interference with Wi-Fi and other devices, Bluetooth uses Frequency Hopping (FHSS):
🔄 The signal CHANGES frequency ⚡ 1600 times per second 🔒 According to a random sequence known only to paired devices → Advantages: Better interference resistance + Enhanced security
Topology: The Piconet Concept
A piconet is a Bluetooth network composed of one master device and up to 7 simultaneously active slave devices. The master controls timing and the frequency hopping sequence. Up to 255 devices can be paired, but only 7 can be active simultaneously.
Several piconets can overlap to form a scatternet, where a device can be a master in one piconet and a slave in another. This configuration enables complex network topologies, though it's rarely implemented in practice due to its complexity.
Bluetooth Profiles: Interoperability Standards
Profiles define how devices use the Bluetooth connection for specific applications. Each profile specifies the necessary protocols, commands, and behaviors.
| Profile | Full Name | Type | Function | Typical Applications |
|---|---|---|---|---|
| A2DP | Advanced Audio Distribution Profile | Classic | High-quality stereo audio streaming | Headsets, speakers, wireless audio systems |
| AVRCP | Audio/Video Remote Control Profile | Classic | Media control | Play, pause, volume, track navigation |
| HSP/HFP | Headset/Hands-Free Profile | Classic | Bidirectional voice communication | Phone calls, car hands-free kits |
| HID | Human Interface Device | Classic/BLE | Input peripherals | Keyboards, mice, game controllers, remotes |
| GATT | Generic Attribute Profile | BLE | Services/characteristics architecture | Connected objects, IoT sensors, wearables |
| SPP | Serial Port Profile | Classic | RS-232 serial port emulation | Data transfer, Arduino communication, industrial tools |
| OPP | Object Push Profile | Classic | Object (file) transfer | Contact exchange, images, documents |
| PAN | Personal Area Network Profile | Classic | IP network via Bluetooth | Internet connection sharing, tethering |
| DUN | Dial-Up Networking Profile | Classic | Dial-up network connection | Internet access via Bluetooth modem (legacy) |
Pairing and Connection Process
Establishing a Bluetooth connection follows a 4-step process:
┌─────────────────────────────────────────────────────────────────────┐
│ BLUETOOTH PAIRING PROCESS │
└─────────────────────────────────────────────────────────────────────┘
DEVICE A DEVICE B
(Smartphone) (Headset)
│ │
│ ① DISCOVERY │
│ ─────────────────────────────────────────────────────>│
│ BLE/Classic advertising signals │
│ Broadcasting name, services, capabilities │
│ │
│ ② PAIRING - Security key exchange │
│<──────────────────────────────────────────────────────>│
│ │
│ ┌───────────────────────────────────────────────┐ │
│ │ PAIRING METHODS (based on capabilities) │ │
│ ├───────────────────────────────────────────────┤ │
│ │ • Numeric Comparison: 6-digit code │ │
│ │ [347821] = [347821] ✓ │ │
│ │ → High security, screens required │ │
│ │ │ │
│ │ • Passkey Entry: PIN entry │ │
│ │ Enter PIN: [****] │ │
│ │ → Medium security, one screen sufficient │ │
│ │ │ │
│ │ • Just Works: Automatic │ │
│ │ Direct connection without interaction │ │
│ │ → Low security, basic IoT │ │
│ │ │ │
│ │ • Out of Band (OOB): Via NFC/QR │ │
│ │ [📱]──NFC──[🎧] │ │
│ │ → Maximum security, separate channel │ │
│ └───────────────────────────────────────────────┘ │
│ │
│ LTK (Long Term Key) generation │
│ AES-128 encryption of communications │
│ │
│ ③ BONDING (Memorization) │
│ ──────────────────────────────────────────────────────│
│ Secure key storage in flash memory │
│ Enables future automatic reconnection │
│ │
│ ④ CONNECTION (Secure connection) │
│<══════════════════════════════════════════════════════>│
│ Encrypted data channel established │
│ Ready for audio/data streaming │
│ │
◉◉◉ ACTIVE CONNECTION - FHSS 1600 hops/second ◉◉◉Technical Notes:
| Step | Typical Duration | Consumption | Security | Objective |
|---|---|---|---|---|
| Discovery | 1-10 seconds | Low | None (public broadcast) | Make device visible |
| Pairing | 2-5 seconds | Medium | Variable by method | Mutual authentication |
| Bonding | < 1 second | Very low | High (encrypted storage) | Memorize relationship |
| Connection | < 1 second | Variable | High (AES-128+) | Secure communication |
- Numeric Comparison → ✅ Recommended for devices with screen (smartphones, tablets)
- Passkey Entry → ⚠️ Acceptable if complex PIN (avoid 0000, 1234)
- Just Works → ⚠️ Only for non-critical devices (sensors, beacons)
- OOB (NFC) → ✅✅ Ideal for high security (payment, physical access)
- Always verify the 6-digit code in Numeric Comparison
- Avoid pairing in public places (MitM risk)
- Regularly delete obsolete pairings
- Prefer Bluetooth 4.2+ with Secure Connections (LE)
Bluetooth 6.0 Features: Revolutionary 2025 Innovations
Announced in September 2024 and progressively deployed in 2025, Bluetooth 6.0 brings major improvements that redefine the technology's capabilities.
Channel Sounding: Precision Positioning
The flagship feature of Bluetooth 6.0 is Channel Sounding, a revolutionary technique for secure distance measurement between devices. Unlike previous methods based on signal strength (RSSI), Channel Sounding uses Time of Flight (ToF) and Angle of Arrival (AoA) measurement to determine distance with centimeter-level precision.
Practical Applications of Channel Sounding
The problem before Bluetooth 6.0:
You at restaurant 🍽️ Thief near your car 🚙
│ │
│ 📱 Bluetooth Signal │
│ ────────> [Relay] ──────────> │
│ Amplifier │
└──────────────────────────────────────→ 🔓 Car unlocked!With Channel Sounding:
You at restaurant 🍽️ Theft attempt 🚙
│ │
│ 📱 Signal + distance measurement │
│ ────────> [Relay] ─X─ REJECTED │
│ Delay detected (>3ms) │
└──────────────────────────────────────→ 🔒 ACCESS DENIED
✅ The car measures response time with nanosecond precision
✅ Calculated distance: 50m detected vs 2m expected → Attack blockedImpact: Tesla, BMW, Mercedes car keys already integrate this technology in 2025.
Scenario: University Hospital
| Before (RFID/Bluetooth 5) | With Channel Sounding |
|---|---|
| 🔍 "The defibrillator is... somewhere on 3rd floor" | 🎯 "Defibrillator: Room 302, left cabinet, shelf 2" |
| Accuracy: ±3-5 meters | Accuracy: ±8 centimeters |
| Search time: 5-15 min | Search time: 30 seconds |
| Active RFID cost: 15-30€/tag | BLE 6.0 cost: 3-5€/tag |
Real applications:
- 🏭 Industry: Power tools in 10,000 m² workshops
- 🏥 Healthcare: Mobile medical equipment, wheelchairs, carts
- 📚 Logistics: Pallets and packages in e-commerce warehouses
- 🎬 Events: Audiovisual equipment (cameras, microphones, lighting)
Use case: International Airport
You are here (GPS accuracy) 📍
│
┌──────────┴──────────┐
│ TERMINAL 2 │
│ [~15m error] │ ❌ "Somewhere in the hall"
└─────────────────────┘
VS
You are here (Channel Sounding) 📍
│
┌──────────┴──────────┐
│ Gate 23, Row C │
│ 8m from Starbucks │ ✅ Exact guidance to your gate
└─────────────────────┘Transformed user experiences:
- 🏬 Shopping mall: "Running shoes section, aisle 3, facing you"
- 🅿️ Underground parking: "Spot B-247, 3rd column to the right"
- 🏛️ Museum: "'Mona Lisa' painting → 12m ahead, turn right"
- 🏢 Corporate campus: "Office C-302, left hallway, 2nd door"
Scenario: Connected Apartment
LIVING ROOM KITCHEN BEDROOM ┌───────────┐ ┌───────────┐ ┌───────────┐ │ │ │ │ │ │ │ 💡 100% │───You──│ 💡 OFF │────────│ 💡 OFF │ │ 🌡️ 21°C │ here! │ 🌡️ --- │ │ 🌡️ --- │ │ 🎵 ON │ 📱 │ 🎵 OFF │ │ 🎵 OFF │ │ │ │ │ │ │ └───────────┘ └───────────┘ └───────────┘
Possible contextual automations:
- 🎯 Zone detection < 50cm: You approach fridge → Interior LED lighting activated
- 🎯 Room detection: Enter living room → Lights ON, music resumes
- 🎯 Home presence/absence detection: Last BLE 6.0 device leaves perimeter → General economy mode
Channel Sounding Gains Summary
| Criterion | Bluetooth 5.x | Bluetooth 6.0 (Channel Sounding) | Gain |
|---|---|---|---|
| Positioning accuracy | ±2-5 meters | ±0.1 meter (10 cm) | ×20-50 |
| Anti-relay security | ⚠️ Vulnerable | ✅ Protected (time measurement) | ×∞ |
| Use cases | General proximity detection | Precise positioning + authentication | New markets |
| Consumption | Medium | Similar/Optimized | = |
Decision-Based Advertising Filtering
Decision-based advertising filtering drastically improves energy efficiency of BLE devices. Instead of waking the main processor for every received advertising packet, the Bluetooth controller can now intelligently filter advertisements according to predefined criteria (service UUID, device name, signal strength).
Concrete result: Up to 50% reduction in energy consumption for IoT devices in permanent scan mode, resulting in several additional months of battery autonomy.
Monitoring Advertisers: Optimized Connection Management
Imagine a hospital with 500 temperature sensors distributed across 10 floors. Before Bluetooth 6.0, monitoring all these devices simultaneously was an energy and logistical nightmare. Monitoring Advertisers changes the game.
| Sector | Use Case | Before BT 6.0 | With Monitoring Advertisers | Gain |
|---|---|---|---|---|
| 🏥 Healthcare | 200 patients with connected bracelets | Sequential scan 30s/patient → 1h30 full cycle | Simultaneous real-time monitoring | ×90 reactivity |
| 🏭 Industry | 1000 machine vibration sensors | Concentrator per zone (expensive) | 1 central gateway sufficient | -75% cost |
| 🌍 Environment | Urban weather network 300 stations | Collection 4x/day (battery) | Optimized continuous collection | ×6 frequency |
| 🏢 Building | 500 connected smoke/CO detectors | Monthly manual verification | Automatic 24/7 monitoring | Safety ×100 |
LE Audio Improvements: Wireless Audio Finally Mature
Bluetooth 6.0 refines LE Audio (introduced in 5.2), transforming Bluetooth audio from "acceptable compromise" to "professional quality".
LE Audio Comparative Evolution
| Criterion | BT Classic (A2DP/SBC) | BT 5.2 (LE Audio LC3) | BT 6.0 (Optimized LE Audio) |
|---|---|---|---|
| Latency | 150-200ms | 80-150ms | 20-80ms ⚡ |
| Quality at 160 kbps | Average (compression) | Good (efficient LC3) | Excellent (LC3+) |
| Multi-device sync | Native impossible | Basic (2 earbuds) | Perfect (50+ devices) |
| Gaming | ❌ Too much lag | ⚠️ Acceptable | ✅ Dedicated gaming mode |
| Consumption | 50 mW | 25 mW | 15 mW (-70% vs Classic) |
| Earbud autonomy | 5h typical | 8h | 12h+ |
Reduced Latency: Gaming Becomes Viable
The historical problem:
🎮 Action in game 🎧 Sound in earbuds
(t = 0ms) (t = 150ms)
[BOOM! 💥] ──────────────────────────> [BOOM! 🔊]
150ms delay
❌ Result: Frustrating desynchronizationWith Bluetooth 6.0:
🎮 Action in game 🎧 Sound in earbuds
(t = 0ms) (t = 25ms)
[BOOM! 💥] ──────────> [BOOM! 🔊]
25ms only
✅ Result: Imperceptible synchronizationPractical applications:
- 🎮 Competitive gaming: FPS, rhythm games (Beat Saber, Guitar Hero)
- 🎬 Video editing: Real-time preview without lag
- 🎤 Live streaming: Podcasts, Twitch/YouTube lives without latency
- 🎸 Digital instruments: Synths, pads, wireless audio interfaces
Enhanced Multi-stream: Share Audio Without Limits
Auracast™: Revolutionary Audio Broadcast
| Scenario | Before (Classic/BLE 5.2) | With Auracast (BT 6.0) |
|---|---|---|
| 🏋️ Group fitness class | 1 shared jack cable (unsanitary) or speakers (neighbors) | Each participant with their earbuds, perfect audio sync |
| ✈️ In-flight cinema | Provided wired headphones (poor quality) | Your personal AirPods/Sony, HD audio sync with screen |
| 🏛️ Museum guided tour | Radio receivers to rent (10€, weak batteries) | Your smartphone + earbuds, free, always charged |
| 📺 Family TV evening | Low volume (kids sleeping) or headset 1 person | Whole family with earbuds, personalized volume |
| 🎤 Multilingual conference | Translation boxes (rental 50€/day) | Smartphone app + earbuds, unlimited language channels |
Frame Space Update: Invisible But Powerful Optimization
Bluetooth transmits data in "packets" spaced in time. Frame Space Update dynamically optimizes these intervals.
| Device | Mode | Speed Before | BT 6.0 Speed | Gain |
|---|---|---|---|---|
| 📱 Smartphone (file transfer) | Max performance | 1.8 Mbit/s | 2.5 Mbit/s | +39% |
| ⌚ Smartwatch (data sync) | Energy saving | 500 kbit/s, 10 mW | 500 kbit/s, 6 mW | -40% consumption |
| 🎧 Earbuds (audio streaming) | Balance | 250 kbit/s, 15 mW | 250 kbit/s, 10 mW | +50% autonomy |
Bluetooth Security in 2025: Threats and Protections
Bluetooth security has never been more critical. With billions of connected devices and increasingly sophisticated attacks, understanding threats is vital.
Critical Airoha Vulnerability (CVE-2024-123xx)
Context: In January 2025, security researchers discovered a zero-day flaw in Bluetooth chipsets from Airoha Technology, a Taiwanese manufacturer that equips millions of earbuds and speakers from popular brands.
Threat Magnitude
| Indicator | Figure | Impact |
|---|---|---|
| Affected devices | ~150 million estimated | 🔴 Massive |
| CVSS Score | 9.8/10 (Critical) | 🔴 Maximum |
| Exploitation | Remote, no interaction | 🔴 Trivial |
| Patch available | Yes (since March 2025) | 🟢 But slow deployment |
| Active exploitations | Yes (since February 2025) | 🔴 Campaigns detected |
Nature of Flaw: RCE (Remote Code Execution)
┌────────────────────────────────────────────────────────────┐ │ AIROHA CVE ATTACK CHAIN │ ├────────────────────────────────────────────────────────────┤ │ │ │ 1️⃣ RECONNAISSANCE (5 seconds) │ │ Attacker scans Bluetooth environment │ │ Identifies vulnerable Airoha chipset │ │ └─> 🎧 "Sony WF-XB700" detected (Airoha AB1562) │ │ │ │ 2️⃣ EXPLOITATION (10 seconds) │ │ Sends special malformed Bluetooth packet │ │ Buffer overflow in Bluetooth chipset stack │ │ └─> 💉 Shellcode injected in memory │ │ │ │ 3️⃣ CONTROL (instant) │ │ Arbitrary code execution with max privileges │ │ └─> 🎛️ Attacker fully controls device │ │ │ │ 4️⃣ MALICIOUS ACTIONS (persistent) │ │ │ │ │ ├─> 🎤 Activate mic remotely (espionage) │ │ ├─> 🔊 Intercept audio stream (conversations) │ │ ├─> 📱 Attack connected smartphone (pivot) │ │ └─> 🦠 Install persistent backdoor (botnet) │ └────────────────────────────────────────────────────────────┘
Affected Devices (non-exhaustive list)
| Brand | Affected Models | Patch Status |
|---|---|---|
| Anker Soundcore | Liberty Air 2, Life P2, Life P3 | ✅ Patched (v2.8+) |
| 1MORE | ComfoBuds Pro, PistonBuds Pro | ⚠️ Patch announced May 2025 |
| Mpow | M30, X3, Flame Pro | ❌ Support ended, not patched |
| Aukey | EP-T21, EP-T27 | ⚠️ Patch in beta |
| Tronsmart | Onyx Ace, Apollo Bold | ✅ Patched (v1.9+) |
| QCY | T5, T8, T13 | ✅ Patched (v3.2+) |
Premium brands (Sony, Bose, JBL, Apple, Samsung) use their own chipsets and are NOT affected.
Immediate Actions to Take
- Identify your Bluetooth devices: List earbuds, speakers, headsets (brand + model)
- Check if affected: Consult manufacturer website
- Install firmware updates: Via dedicated app (Soundcore, QCY+, etc.)
- If patch unavailable, compensatory measures:
- Disable Bluetooth when unused
- Don't use in public places
- Enable "invisible mode" only
- Consider replacement if sensitive
- Monitor abnormal behaviors:
- Unsolicited connections
- Excessive battery consumption
- LED blinking without reason
- Sound/mic activated spontaneously → DISCONNECT IMMEDIATELY
Relay Attacks: The Invisible Threat of Contactless Keys
Anatomy of a Relay Attack on Car Key
Relay attacks exploit a fundamental weakness: blind trust in authentication without distance verification.
┌────────────────────────────────────────────────────────────┐ │ RELAY ATTACK - DOCUMENTED BMW X5 CASE │ ├────────────────────────────────────────────────────────────┤ │ │ │ 📍 LOCATION: Restaurant 16th arrondissement, 9:30 PM │ │ │ │ 👤 Victim (Marc) 🚙 BMW X5 (parking) │ │ │ │ │ │ [📱] BT Key │ │ │ pocket │ │ │ │ │ │ │ │ 🕵️ Attacker A 🕵️ Attacker B │ │ │ (next table) (near car) │ │ │ [📡 Relay RX] [📡 Relay TX] │ │ │ │ │ │ │ └─────────┼────────────────────────┘ │ │ │ Amplified signal │ │ │ Range: 50m real │ │ │ = car "thinks" key at 2m │ │ │ │ │ ⏱️ TIMELINE: │ │ 21:32 → Bluetooth car scan │ │ 21:33 → Marc's key detected via relay │ │ 21:33 → Car unlocked ✓ │ │ 21:34 → Engine started ✓ │ │ 21:35 → Car gone (value €65,000) │ │ │ │ 💰 ATTACK COST: €300 equipment (AliExpress/eBay) │ │ ⏱️ TOTAL TIME: 3 minutes │ │ 🎯 SUCCESS: 100% (no alert) │ └────────────────────────────────────────────────────────────┘
Relay Attack Theft Statistics (France 2024-2025)
| Indicator | 2024 | 2025 (projection) | Evolution |
|---|---|---|---|
| Documented relay thefts | 2,847 | ~3,500 | +23% |
| Targeted brands | BMW, Tesla, Mercedes, Audi, Range Rover | + Toyota, Lexus, Peugeot | Extension |
| Recovery rate | 12% | 8% | Decrease (fast export) |
| Average loss | €48,000 | €52,000 | Premium vehicles |
Protection with Bluetooth 6.0 Channel Sounding
BEFORE BT 6.0 (vulnerable) WITH BT 6.0 (Channel Sounding)
───────────────────────────── ──────────────────────────────
Car: "Key detected?" Car: "Key detected?"
↓ ↓
Key: "Yes, it's me! [auth]" Key: "Yes, it's me! [auth]"
↓ ↓
Car: "OK, unlock" Car: "At what distance?"
↓ ↓
✅ OPENED ToF time measurement
└─> Response: 47ns
└─> Calculated distance: 14.1m
└─> Expected: <2m
↓
❌ REJECTED - Attack detected!
🚨 Owner smartphone alertDetection precision:
- Error margin: ±10 cm on distances <5m
- Reaction time: <50 milliseconds
- False positives: <0.01% (quasi-null)
Immediate Protections (awaiting widespread BT 6.0)
| Protection | Effectiveness | Cost | Constraint |
|---|---|---|---|
| Disable BT key at night | 🟢 100% | Free | Remember to reactivate |
| Faraday key pouch | 🟢 100% | €10-25 | Remove key for use |
| Faraday home box | 🟢 100% | €15-40 | Key not quickly accessible |
| 2FA authentication | 🟢 95% | Free (app) | Smartphone validation |
| Auto "sleep mode" key | 🟢 90% | Free (config) | 2 min reactivation delay |
| Mechanical steering lock | 🟡 80% (deterrent) | €50-150 | Install/remove |
BlueBorne and Successors: Ghosts of the Past
BlueBorne (2017): The Brutal Awakening
BlueBorne demonstrated that an unpaired, even invisible Bluetooth device could be compromised remotely. 8 critical vulnerabilities affecting Android, iOS, Windows, Linux.
What an attacker could do:
- Take full control of smartphone
- Steal data (contacts, photos, passwords)
- Install persistent malware
- Propagate to nearby Bluetooth devices (worm)
2025 situation: Largely corrected, but millions of legacy devices still vulnerable (industrial IoT, medical equipment, Android 7 and earlier).
Modern Attacks: KNOB, BIAS, BLURtooth
| Attack | Year | Target | Mechanism | 2025 Severity | Protection |
|---|---|---|---|---|---|
| KNOB | 2019 | Key negotiation | Force weak encryption key (1 byte) | 🟡 Moderate | BT 5.0+ Secure Connections |
| BIAS | 2020 | Existing pairings | Identity spoofing without key | 🟠 High | Recent firmware (post-2021) |
| BLURtooth | 2020 | Key derivation | Weak CTKD cross-transport validation | 🟡 Moderate | iOS 13.4+, Android 10+ |
| BlueFrag | 2020 | Android L2CAP | Fragment reassembly overflow | 🟢 Low | Android 8.0+ patched |
KNOB (Key Negotiation of Bluetooth) - Technical Detail
NORMAL NEGOTIATION (secure) ──────────────────────────────────────────── Device A: "I support 128-256 bit keys" Device B: "Me too, let's use 128 bits" ↓ 🔐 AES-128 encryption (2^128 combinations) = Impossible to crack (10^20 years) KNOB ATTACK (Man-in-the-Middle) ──────────────────────────────────────────── Device A: "I support 128-256 bit keys" ↓ [INTERCEPTED by attacker] Attacker → Device B: "A supports only 1 byte" Device B: "OK, let's use 1 byte then" ↓ 🔓 8-bit encryption only (256 combinations) = Crackable in <1 second by modern CPU Attacker decrypts ALL communications
- Bluetooth 5.0+ with Secure Connections: Forces minimum 128 bits
- Post-2020 updates: Strict negotiation validation
- Legacy devices: Impossible to fix (replacement necessary)
BIAS (Bluetooth Impersonation AttackS) - Identity Spoofing
An attacker can impersonate an already paired device by exploiting a weakness in the reconnection process.
┌────────────────────────────────────────────────────────────┐ │ BIAS ATTACK - STEPS │ ├────────────────────────────────────────────────────────────┤ │ │ │ 1️⃣ RECONNAISSANCE PHASE │ │ Attacker observes existing pairings │ │ 📱 Smartphone ↔ 🎧 AirPods (MAC address captured) │ │ │ │ 2️⃣ DISCONNECTION PHASE │ │ Attacker forces disconnection (jamming, DoS) │ │ 🎧 AirPods temporarily disconnected │ │ │ │ 3️⃣ SPOOFING PHASE │ │ Attacker spoofs AirPods MAC address │ │ Initiates reconnection WITHOUT full authentication │ │ └─> Flaw: BT assumes "already authenticated" = trust │ │ │ │ 4️⃣ COMPROMISE PHASE │ │ 📱 Smartphone accepts "fake AirPods" │ │ Attacker intercepts audio stream │ │ Can inject malicious audio (voice phishing) │ └────────────────────────────────────────────────────────────┘
Summary: 2025 Bluetooth Risk Matrix
| User Profile | Overall Risk | Main Threats |
|---|---|---|
| Individual (standard use) | 🟡 MODERATE | CVE Airoha (budget earbuds), Relay attacks (car key) |
| Enterprise (sensitive environment) | 🟠 HIGH | Industrial espionage, IoT compromise, GDPR Compliance |
| Healthcare (medical devices) | 🔴 CRITICAL | Legacy equipment, Patient data, Physical security |
| Industry 4.0 (connected production) | 🟠 HIGH | Production sabotage, Obsolete sensors, Availability |
Security Action Plan: Your Roadmap
IMMEDIATE Actions (< 1 week)
- List ALL your active Bluetooth devices
- Check OS versions (smartphone, laptop, tablet)
- Identify Airoha devices
- Note devices without update for >1 year
- Smartphone/tablet OS → Latest version
- Earbuds/speakers firmware → Via dedicated apps
- PC Bluetooth drivers → Windows Update / Manufacturer
- IoT firmware (watches, trackers) → Manufacturer apps
- Disable Bluetooth on unused devices
- Delete obsolete pairings (>6 months inactive)
- Enable "Non-discoverable" by default
- Configure auto screen lock (30s-1min)
SHORT TERM Actions (< 1 month)
- Advanced security: Car key (Faraday pouch + night disable), IoT segmentation (guest VLAN)
- Training & awareness: Read manufacturer security guides, Share best practices, Subscribe to security alerts (CERT, CISA)
- Enterprises: Draft/update Bluetooth policy, Complete MDM inventory, Mandatory employee training
LONG TERM Actions (< 6 months)
- Infrastructure modernization: Replace unpatchable legacy devices, Migration to Bluetooth 6.0
- Defense in depth strategy: Strict network segmentation, Enhanced encryption, Automated key rotation
- Continuous monitoring & improvement: Subscribe to Bluetooth CVE feeds, Participate in security communities, Regular testing
Bluetooth Classic vs Bluetooth Low Energy: Which Choice?
The Battle of Two Protocols
| Criterion | Bluetooth Classic | Bluetooth Low Energy | Winner |
|---|---|---|---|
| Max speed | 3 Mbit/s | 2 Mbit/s | Classic |
| Consumption | Moderate-High (100mW) | Ultra-low (1mW) | BLE ×100 |
| Range | 10-100m | 50-240m | BLE ×2-4 |
| Connection time | 1-5 seconds | < 10 milliseconds | BLE ×500 |
| Battery autonomy | Hours - Days | Months - Years | BLE |
| Radio channels | 79 × 1 MHz | 40 × 2 MHz | = |
| Audio latency | Low (40-100ms) | Variable (50-200ms*) | Classic |
| Stack complexity | Simple | Complex (GATT) | Classic |
| Chipset cost | €2-5 | €1-3 | BLE |
*With LE Audio (BT 5.2+), BLE latency becomes competitive
Selection Guide: Which Bluetooth for Your Project?
Choose Bluetooth Classic if...
| Use Case | Why Classic? | Product Examples |
|---|---|---|
| Audio streaming | Continuous throughput, low latency, consistent quality | Sony WH-1000XM headsets, JBL speakers, car kits |
| Gaming peripherals | Critical latency < 50ms, constant input | Xbox/PlayStation controllers, mechanical gaming keyboards |
| File transfer | Large volumes (photos, videos, documents) | Android file sharing, OBEX, Bluetooth FTP |
| Telephony | Stable real-time bidirectional audio | Professional headsets, car hands-free |
| Printing | Sustained throughput for complex documents | Portable printers, POS terminals |
Choose Bluetooth LE if...
| Use Case | Why BLE? | Product Examples |
|---|---|---|
| Wearables | Multi-week autonomy, lightweight sensors | Apple Watch, Fitbit, Garmin, Oura rings |
| IoT sensors | Years on coin cell, sporadic data | Xiaomi thermometers, Aqara sensors, Ruuvi |
| Connected locks | Security + critical autonomy | August Smart Lock, Yale Linus, Nuki |
| Beacons | 24/7 broadcast for 2-5 years | Apple iBeacon, Google Eddystone, store proximity |
| Simple controllers | Basic buttons, acceptable latency | TV remotes, IoT buttons, Philips Hue switches |
| Payment/identification | Fast transactions, low consumption | NFC/BLE cards, access badges, transport passes |
Dual Mode: Best of Both Worlds
Modern chipsets (smartphones, tablets, PCs) integrate both protocols simultaneously:
┌─────────────────────────────────────────────────────────┐ │ INTELLIGENT DUAL MODE STRATEGY │ ├─────────────────────────────────────────────────────────┤ │ │ │ 📱 Dual Mode Smartphone │ │ │ │ │ ├──🟢 BLE ──────────> 🏃 Smartwatch (notifications) │ │ │ (100 µW) ⏱️ Battery: 3 days │ │ │ │ │ ├──🟢 BLE ──────────> 🌡️ Home sensors (scan) │ │ │ (1 mW) 🔋 Autonomy: 2 years │ │ │ │ │ └──🔵 Classic ──────> 🎧 Headset (audio streaming) │ │ (50 mW) 🎵 Quality: AAC 256 kbps │ │ 🔋 Autonomy: 30h │ └─────────────────────────────────────────────────────────┘
| Situation | Active Protocol | Reason |
|---|---|---|
| Screen locked, music OFF | BLE passive scan | Battery saving, watch/tracker notifications |
| Active music playback | Classic A2DP | Audio quality, sustained throughput |
| Phone call | Classic HFP | Low latency, bidirectional audio |
| Sports with tracker | BLE GATT | Real-time heart rate, energy efficiency |
| Enter car | Classic (audio) + BLE (detection) | Optimized dual connection |
Quick Decision Table
| Question | Answer → Classic | Answer → BLE |
|---|---|---|
| 1. Target autonomy? | Hours/days (rechargeable) | Months/years (battery/cell) |
| 2. Data type? | Continuous stream (audio, video) | Burst/intermittent (sensors, notifs) |
| 3. Critical latency? | Yes (< 100ms required) | No (> 100ms acceptable) |
Special Case: LE Audio (Bluetooth 5.2+)
With the arrival of LE Audio in 2020-2025, BLE becomes viable for audio:
| Aspect | Classic BLE (before 5.2) | LE Audio (BT 5.2+) |
|---|---|---|
| Codec | No dedicated audio codec | LC3 (Low Complexity Communications Codec) |
| Audio quality | ❌ Insufficient | ✅ Equal/superior to Classic SBC |
| Required bitrate | - | 160 kbit/s (vs 328 kbit/s SBC) |
| Latency | 100-200ms | 20-30ms possible |
| Multi-stream | ❌ Not supported | ✅ Auracast (multi-user broadcast) |
| Autonomy | - | +50% vs Classic |
Result: True Wireless 2025+ earbuds/headsets gradually migrate to LE Audio for autonomy gains without quality loss.
Conclusion: Master Bluetooth to Better Secure It
Bluetooth 6.0 represents a major evolution that addresses security and precision challenges of previous years. Channel Sounding marks a turning point in the fight against relay attacks, while energy optimizations (Monitoring Advertisers, Frame Space Update) and continuous LE Audio improvement further extend the autonomy and quality of connected objects.
However, like any ubiquitous technology, Bluetooth remains a prime target for attackers. The continuous discovery of vulnerabilities like those in Airoha chipsets, sophisticated relay attacks on car keys, and persistence of historical flaws (KNOB, BIAS) remind us of the importance of constant vigilance.
The 3 Pillars of Sustainable Bluetooth Security
Understand threats to better protect against them. This guide is your first step toward deep Bluetooth mastery.
Maintain active vigilance and security watch: Updates, audits, continuous infrastructure monitoring.
React quickly to incidents and vulnerabilities: Action plans, patches, immediate remediation.
For IT professionals and security managers, deep Bluetooth mastery is no longer optional. With billions of deployed devices and growing presence in critical infrastructure (healthcare, industry, smart buildings, connected vehicles), every vulnerability can have serious consequences on privacy, physical security, and business continuity.
The technical fundamentals covered in this article allow you to understand how Bluetooth really works, beyond the "magic" of wireless connection. This understanding is the necessary foundation for effectively diagnosing problems, anticipating security flaws, and designing robust architectures.
Your Next Concrete Actions
- Today: Audit your Bluetooth devices and launch critical updates
- This week: Implement immediate protections (Faraday, night BT disable)
- This month: Formalize your Bluetooth security strategy (personal or enterprise policy)
- This year: Plan migration to Bluetooth 6.0 for your critical equipment
This article is part of a series on wireless technology security. Check our other guides on SafeITExperts to deepen your cybersecurity knowledge.
Sources & References
Official Bluetooth & Security Sources
- Bluetooth SIG - Core Specification 6.0 (2024): bluetooth.com/specifications
- NIST Special Publication 800-121r2: Guide to Bluetooth Security
- CVE Airoha Bluetooth Stack 2025: CVE-2025-20700, CVE-2025-20702
- Armis Security Research Papers: BIAS (2020), KNOB (2020), BLUFFS (2023)
- ANSSI - Bluetooth Recommendations: cyber.gouv.fr
- IEEE Papers - Channel Sounding: Silicon Labs Technical Documentation
- Bluetooth 6.0 Feature Overview: bluetooth.com
- Dell Security Advisory DSA-2025-303
/image%2F7127247%2F20251005%2Fob_7b0360_bluetooth-technology.jpg)
/image%2F7127247%2F20251109%2Fob_621f28_analyse-security.jpg)
/image%2F7127247%2F20251109%2Fob_e1f91c_analyse-security.jpg)
/image%2F7127247%2F20250629%2Fob_bcf951_immutable-systems-social.png)
/image%2F7127247%2F20251109%2Fob_621f28_analyse-security.jpg)
/image%2F7127247%2F20251109%2Fob_e1f91c_analyse-security.jpg)
/image%2F7127247%2F20250629%2Fob_bcf951_immutable-systems-social.png)
/image%2F7127247%2F20251107%2Fob_ea83ba_immutable-systems-social.png)