Thursday, April 10, 2014

HTC Sense 6.0 Bluetooth security "issue" explained

Bluetooth is not a new technology and has long been associated with hands free headsets but with newer devices over the last few years it has obviously evolved into a technology that connects to printers, headphones, speakers, cars and of course other phones.

It wasn't long ago that I still used a Microsoft Zune with my phone sitting idle as I didn't trust the battery or it didn't have the capacity to store my music library, it has only been due to looking into the issue I am going to describe that I have begun to consider using a Bluetooth headset, reflecting on the pain of trying to untangle my headphones as I make my daily commute into the city.

But I digress, I made a discovery on the new HTC One M8 (originally noticed on the M7 port by rider5512) that when I shared had a few other users concerned about using Bluetooth securely.


One of the advantages of being an early adopter and someone who has owned the previous iteration of a flag ship model is that you quickly spot the changes that have been made and one of them was a change in the Bluetooth setup where the ability to set a visibility time out was no longer present and the only options I could see for Bluetooth were on or off.

I checked some other devices, including the Sony Xperia Tablet Z (running the latest nightly of Cyanogenmod 11), the HTC One M7 and the LG G2. I also saw, via a quick Google search that this was standard for Apple devices.

Here you can see that same interface on the HTC One M7 (on Sense 5.5) with visibility time-out options from Cyanogenmod 11 showing on the right:



Of all the other models I checked, only the HTC One M8 lacked this visibility option.


So why might this be a concern?

If your device is visible it means that anyone with a Bluetooth connection can see it, there have been pranks with the name Bluejacking where you can be sent unsolicited text message and pictures which are mostly harmless or as you imagine explicit but nothing more than nuisance, with no data being stolen.

In more extreme cases there is something that is called Bluesnarfing (which sounds ridiculous I know) where an attacker can change or copy information from your phone such as your phone book, address book and calendar or even taking it over completely. Obviously this situations are rare and extreme and as a smart reader of this blog, you are likely avoiding it.

At the very least you will be exposing your Bluetooth address to others, for the paranoid Bluetooth can also be used to track you. Certainly if more people in Hollywood were able to disable Bluetooth visibility the cast of 'Person of Interest' would certainly have to do more work than forced pairing.

Having a visible device will also increase battery consumption!

I asked Jason Dunn, the current outgoing Senior Manager of the HTC community about this and he quickly got a few details from me and escalated it as initially he thought his was current practice as it didn't seem to be broken function on the M8 but the lack of option altogether.

In less than a week (a credit again to Jason and HTC for working closely with the community), Jason was able to give me a simple yet delightful answer.

In simplest terms, the device is only in discover mode, while you are present in the Bluetooth settings screen.

Again, so simple but that has two strong reasons:
  • You won’t accidentally leave the device in a discoverable state.
  • For non-technical end-users it provides a simple yet effective way for them to easily connect their device to other Bluetooth devices.
You can see a quick demonstration below, on the top my Xperia has been unable to find my One M8, on the bottom (and you will have to take my word for it) is in the Bluetooth settings screen and therefore visible.


Basically, HTC have done a great implementation for end users that does not compromise security at all! Once paired the devices will continue to function and connect as you would expect!

On a final note, it is very sad to see Jason moving on from his position at HTC, but I continue to look forward to his thoughts on Twitter and I already had the pleasure of meeting his replacement, Laura Kimball, at the HTC London meet last month.

Great job HTC!

Have any questions or comments? Feel free to share! Also, if you like this article, please use media sharing buttons (Twitter, G+, Facebook) below this post!

For latest news follow Android Revolution HD on popular social platforms: