Bluetooth has come in for a fair bit of criticism in recent months, not least because certain Bluetooth software stacks have security flaws in them which could allow data to be read from a device illicitly.

However, the developers of the Bluetooth specification put a lot of effort into making it secure, and while you certainly should consider security, it is much more a question of adopting safe practices rather than avoiding Bluetooth's use altogether.

The three main areas of concern are

  • cracking (including the so-called Bluesnarfing attacks),
  • backdoor or pairing attacks, and
  • Bluejacking.

The latter is more a nuisance than a risk - it is not as sinister as the name suggests, it merely uses the facility built into Bluetooth to send and receive message objects; the recipient can then choose to read, save or discard them.

Every Bluetooth-enabled device has a visibility or discoverability setting, which controls whether or not it beacons its presence across the airwaves. Unless you are a teenager who enjoys getting messages from random strangers (Bluejacking), the only time you really need to set them visible is when pairing two devices.

Once the devices have been paired, it is safer to set them invisible, non-discoverable or hidden - the terminology varies - as they will still be able to find each other.

Beware that it is not completely safe, however. There are brute-force attacks such as the RedFang tool developed by security firm @stake, which has published a useful paper on the subject here.

These attacks work by scanning the entire Bluetooth address space, or the portions of it corresponding to popular manufacturers, and seeing what responds. The only real defence is to turn Bluetooth off.

One drawback of setting your device as non-visible is that while it blocks Bluejacking, it also prevents other Bluetooth users from sending you business cards or messages as this uses the same mechanism. An alternative for beaming business cards is to use infra-red instead, but it does mean learning how to turn this off and on, something which certain phone makers seem to delight in making as obscure as possible.

Backdoor and pairing attacks are a different type of risk, as they are normally only possible via the device itself. For example, someone could borrow your phone and establish a pairing with another device, but then delete it from the list of trusted devices on your phone.

Although the other device would no longer appear in your phone's list of trusted devices, it would still have access to its services. Not only could it pull data off the phone, but it could potentially use other services too, such as making voice or data calls.

The same risks could apply to a re-used handset too, as pairing information is not deleted when the SIM card is changed (nor would those of us with multiple SIM cards want it to be). The best tactic here appears to be to perform a full factory reset on any hired or second-hand phone.