Quick question: is your Bluetooth on right now? Of course it is. Mine was too until I started looking into what actually happens when you leave that little radio signal broadcasting 24/7. Most of us flipped Bluetooth on at some point to connect our earbuds or car stereo and just never turned it back off. It feels harmless. It feels like nothing. But that always-on signal is doing more than you think, and some of it is genuinely creepy.
The FCC itself lists turning off Bluetooth when not in use as its very first Bluetooth security recommendation. Not buried in fine print. Not item number seven on a long checklist. It is literally step one. When a federal agency puts something at the top of the list, it is probably worth paying attention to.
Your Phone Is Basically Yelling “I’m Right Here” to Strangers
Here is the thing most people do not realize about Bluetooth. When it is on, your phone is constantly broadcasting a signal. Think of it like a name tag you are wearing in a crowded room that says “Hi, I’m available.” Your device sends out its name, its MAC address, and other identifying information to anything and anyone within roughly 30 feet. In a coffee shop, an airport terminal, or a packed subway car, that means dozens of strangers and their devices can see yours.
This is not theoretical paranoia. It is how Bluetooth was designed to work. The protocol needs devices to announce themselves so they can find each other and pair. That is great when you are trying to connect your AirPods at home. It is less great when you are sitting in a Starbucks and some guy with a laptop can see your phone name, which is probably something like “Jessica’s iPhone 15,” and start probing it for weaknesses.
The Attacks Have Names, and They Sound Like Bad Spy Movies
The world of Bluetooth attacks has some wonderfully ridiculous names, but the attacks themselves are no joke. Let me walk you through the big ones.
Bluejacking is the least scary. Someone sends unsolicited messages to your device. It is mostly just annoying, like getting a weird text from a stranger sitting ten feet away from you. Creepy? Yes. Dangerous? Not directly.
Bluesnarfing is where things get real. This is when an attacker secretly steals data from your phone, including contacts, text messages, calendar events, emails, and personal files. You would never know it happened. The attacker just needs to be within Bluetooth range and exploit weaknesses in how your device handles the OBEX protocol (the system that manages data exchange). That stolen information can be used for identity theft, including opening credit accounts in your name.
Bluebugging is the worst of the bunch. An attacker does not just steal your data. They take control of your device. We are talking about making phone calls, sending text messages, accessing your apps, and even eavesdropping on your conversations. The really nasty part? Once a bluebugging attack succeeds, the attacker installs a backdoor on your phone. That means they can keep accessing your device long after the initial Bluetooth connection ends. They do not even need to be near you anymore.
A Real Attack Happened With a $200 Gadget and a Laptop
If you think this stuff only happens in movies or government hacking labs, think again. During a real security test in a corporate environment, an attacker used a Flipper Zero (a pocket-sized hacking tool you can buy online for around $200) to impersonate a wireless keyboard via Bluetooth. A staff member had left their laptop sitting idle with Bluetooth enabled, and the laptop just accepted this fake keyboard without asking any questions. Within seconds, the attacker was sending invisible keystrokes to the machine.
Let that sink in. A cheap gadget pretended to be a keyboard, and a real computer said “sure, come on in.” No password prompt. No verification. Just blind trust because Bluetooth was on.
Your Car Is Vulnerable Too
This one surprised me the most. In mid-2025, researchers revealed a set of Bluetooth vulnerabilities called PerfektBlue that affected the infotainment systems in popular cars from Mercedes, Volkswagen, Skoda, and others. These were zero-click attacks, meaning the driver did not have to press anything or accept any prompt. An attacker just needed to be physically near the car.
Once inside the infotainment system, the attacker could potentially access your contacts, call logs, navigation history, and even synced work emails. Many drivers never update their car’s firmware. Some literally cannot, even if they wanted to. According to a 2025 vulnerability report, over 33% of discovered vulnerabilities were critical or high severity, and organizations took an average of 74.3 days to fix application-level issues. For car Bluetooth systems that rarely (or never) get updates, that security gap just sits there permanently.
Think about all the stuff synced to your car’s system right now. Your phone contacts. Your recent calls. Maybe your text messages. If your car’s Bluetooth connection gets compromised, all of that is exposed.
Even AirPods Got Spoofed
Apple fans, you are not immune to this. In 2024, Apple had to patch a vulnerability (CVE-2024-27867) that allowed attackers to spoof AirPods. Basically, someone could create a fake Bluetooth device that your iPhone believed was your AirPods. If your phone auto-connected to the fake device, the attacker could potentially listen to your conversations. Imagine sitting in a meeting discussing something confidential while a stranger nearby is silently eavesdropping through a spoofed connection.
Apple patched it, sure. But the vulnerability existed. And it worked because people leave Bluetooth on and allow automatic connections. Apple’s closed ecosystem does make iPhones slightly more secure in practice since updates roll out faster and more consistently. Android devices, on the other hand, vary wildly in how quickly manufacturers push security patches. Some Android phones sit for months with known vulnerabilities before they get a fix.
The BlueBorne Problem Was Massive
Back in 2017, researchers at cybersecurity firm Armis disclosed a collection of Bluetooth vulnerabilities called BlueBorne. This was a big deal because BlueBorne attacks did not require the target device to be paired with the attacker. The attacker did not even need the victim to accept a connection request. They just needed to be within Bluetooth range. From there, they could take over devices, steal information, spread malware, and move through an entire network of connected devices.
Then in 2021, BrakTooth hit the scene. Sixteen Bluetooth vulnerabilities across multiple chipsets used in phones, laptops, and IoT devices. These could cause crashes and had broader potential impacts for anyone within range. And in 2025, another vulnerability (CVE-2025-36911) was found in Google’s Fast Pair accessory feature, showing that new problems keep appearing even as older ones get patched.
People Think Bluetooth Kills Their Battery. It Barely Matters.
Here is the ironic part. A lot of people who do turn off Bluetooth are doing it for the wrong reason. They think it is draining their battery. In 2025, that is barely true. Modern smartphones use Bluetooth 5.3 or higher, and Bluetooth Low Energy (BLE) consumes up to 90% less power than classic Bluetooth when idle. Real-world testing showed that a phone with Bluetooth on but not connected to anything lost only 1 to 2 percent of battery over a full 24 hours compared to a phone with it off.
So the battery argument is basically dead. The security argument, though? That one is very much alive. People are turning Bluetooth off for the reason that does not matter and leaving it on despite the reason that does.
You Are Being Tracked in Stores and Public Spaces
Beyond hacking, there is the tracking problem. Your Bluetooth signal broadcasts a MAC address, and that address can be used to track your movements through stores, malls, airports, and other public spaces. Retailers use Bluetooth beacons to monitor foot traffic patterns and shopper behavior. Some of this data collection happens without you ever knowing about it or agreeing to it.
This is not some conspiracy theory. Bluetooth-based location tracking is a real, documented practice in retail analytics. The next time you wander through a Target or a Best Buy with Bluetooth on, there is a chance your movements are being logged.
What You Should Actually Do
I am not telling you to swear off Bluetooth forever. That would be ridiculous. But there are a few simple habits that make a real difference.
Turn Bluetooth off when you are not using it. This is the single biggest thing you can do. If you are not connected to earbuds, a car stereo, or a smartwatch at that moment, just flip it off. On an iPhone, go to Settings and toggle it. The Control Center shortcut only disconnects current connections; it does not fully turn Bluetooth off.
Set your devices to non-discoverable mode. This means your phone will not show up when other nearby devices are scanning for Bluetooth connections. You can still connect to your own paired devices, but strangers cannot find you.
Never accept pairing requests from devices you do not recognize. The FCC specifically warns against connecting to random devices from your discovery list “just to see what happens.” Curiosity is not worth the risk.
Keep your devices updated. A lot of Bluetooth vulnerabilities get patched through software updates. If your phone has been nagging you about an update for three weeks, just install it already.
Remove old pairings you do not use anymore. That rental car you connected to six months ago? That hotel room speaker? Delete them. Stale pairings are unnecessary open doors.
The bottom line is pretty straightforward. Bluetooth is a useful technology, but treating it like something you can leave on and forget about is a mistake. It takes about two seconds to toggle it off. Considering what can happen when you do not, those two seconds are well spent.
