As contact tracing gains attention, a researcher pokes a hole in Bluetooth technology

A German university student show how to execute code on a Samsung Galaxy S10e.
The use of Bluetooth in coronavirus contact tracing has put the spotlight on the technology's security.

Bluetooth came to the fore in the fight against the novel coronavirus this month when Apple and Google announced a project to use the wireless technology to trace people infected with the virus.

The ambitious program to build interoperable software for iPhone and Android devices inspired hope in some and privacy concerns in others. New research highlights the potential security implications of using Bluetooth to track smartphone users.

Jan Ruge, a researcher at the TU Darmstadt, a university in Germany, has shown how a hacker in close proximity to an Android device could use Bluetooth to execute code on it. The mobile device’s user wouldn’t need to click on anything to be compromised — the attacker would only need the Bluetooth address of the device and a software exploit. Ruge used the exploit on a Samsung Galaxy S10e, but it would work in theory on other phone models running unpatched versions of the Android 8.0-9.0 operating systems.

Ruge found the vulnerability by digging into a protocol that Bluetooth uses to stream music on the device. He reported the bug to Android’s security team in November, which issued a software fix in February. There was no indication that the vulnerability had been exploited in the wild.


The research doesn’t mean that the wireless standard shouldn’t be used to track COVID-19. It is, however, another reminder that technology that has gained traction in the health crisis could also be an opening for hackers. Like Zoom, the videoconference app whose popularity has surged during the pandemic, vendors that use Bluetooth will have to reckon with the technology’s security vulnerabilities.

Unlike Zoom, Bluetooth has been around for more than two decades. Given its ubiquitous use, Bluetooth has long drawn attention from security researchers. Last year, for example, Google addressed a Bluetooth vulnerability that could have allowed a hacker to communicate with devices paired with the company’s Titan security key, which guards against phishing.

One problem, as Ruge pointed out, is that many mobile phones are automatically configured to accept Bluetooth connections from nearby devices. That makes the first step to executing a hack like this — finding a vulnerable target — significantly easier. A security patch takes care of the problem in this case. If users can’t apply the patch, they should only enable Bluetooth when they need it, Ruge said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts