Bluetooth vulnerability allows unauthorized user to record and play audio on Bluetooth speakers
This critical security issue allows third party user to record audio from Bluetooth speaker with built-in microphone in vicinity, even when it is already paired and connected with another device. This can result in eavesdropping on private conversations using turned on Bluetooth speaker or a headset.
This security problem was found and presented by Tarlogic on RootedCon 2024. Last week they published a prove of concept tool, called BlueSpy, that exploits this issue.
When I tested it, it blown my mind that this is actually possible, since this problem doesn’t exploit any unpatched vulnerability, only misuses unsecured Just Work method of Bluetooth device pairing. This is scary if you consider there are sitting many such vulnerable headsets or speakers in residential areas, workspace, meeting rooms, public places etc.
In this post, I will visualize the attack scenario of recording and playing the audio as unauthorized user from a Bluetooth speaker. It was not mentioned in the original research by Tarlogic, however, this attack can be also used as new method to stop a speaker from playing music. For demonstration, I will use portable Raspberry Pi 4 running Kali Linux that is controlled by a smartphone. To extend the covered area, it is possible to use an external Bluetooth adapter with an external antenna. In the Prevention section, I explain how you can conveniently detect if your Bluetooth LE speakers are vulnerable to this attack scenario using a mobile app.
