I recently wrote a diary on the SANS Internet Storm Center about a survey of Bluetooth vulnerabilities trends (2023 Edition).
Please click here to read the full diary entry and this diary entry has been briefly mentioned in the SANS Daily Network Security Podcast (Stormcast) for Wednesday, February 8th, 2023 over here. Alternatively, the full diary is reposted in full below.
The use of Bluetooth-enabled devices remains popular. New products (such as mobile phones, laptops and fitness trackers) still support this protocol and have even launched with more recent versions (e.g. Samsung S23 family of phones, iPhone 14 and 14 Pro, Apple Watch Series 8/SE/Ultra all shipped with Bluetooth 5.3). I had previously written about surveying the trend of Bluetooth vulnerabilities back in 2021 . As roughly a year or so has passed, it was a timely moment to review how things may have evolved with respect to the vulnerabilities discovered. Compared to the previous diary, the current Bluetooth core specification has been bumped up to 5.3 (from 5.2 as compared to the previous diary) .
Firstly, to get an overview of the current situation, I turned to the CVE List hosted by MITRE and searched for Bluetooth-related vulnerabilities. At the point of writing, there was a total of 647 publicly listed vulnerabilities related to Bluetooth . From the time since I last wrote the diary (May 2021), there was an increase of 202 publicly disclosed vulnerabilities. To further illustrate the trend, I updated the previously plotted graph (Figure 1 below). There were minor updates to the number of vulnerabilities disclosed (e.g. 2019 and 2020), probably due to the lifting of embargoed vulnerability listing as they have been patched (or perhaps not being fixed after a certain period of non-disclosure). We also do not distinguish between Bluetooth Classic and Bluetooth Low Energy (LE) in the graph.
We can see that the vulnerabilities disclosed in 2022 have increased to near 2019 levels (112 vs 113). This came as no surprise, as the year 2022 was an eventful year for Bluetooth vulnerabilities. Notable attacks such as Blacktooth , Bluetooth Address Tracking (BAT)  and Bluetooth Physical-Layer Relay Attacks  were disclosed. The impacts were significant – the vulnerabilities affected many products, such as Tesla cars, smart locks and mobile phones. It was heartening to see that the researchers also suggested ways to fix the discovered issues and worked with the Bluetooth SIG to resolve the vulnerabilities.
It would be interesting to see what 2023 would be like for Bluetooth – would there be more implementation or protocol design vulnerabilities reported to the Bluetooth SIG? Will there be closer collaboration between product vendors and System-on-Chip (SoC) vendors in rolling out security updates for the Bluetooth implementations in the affected devices? Although it appears that the number of Bluetooth vulnerabilities being discovered is rising again, we can take comfort that at least a vital protocol is being examined and improved upon.