Skip to content

Zero-day: Bluetooth gap turns millions of headphones into listening stations

Technology
123 88 2
  • ... and this is why I don't use bluetooth on anything.

    I never have it enabled unless I am in the car driving and need driving directions or listening to music/podcasts. I prefer wired headphones, but manufacturers are making that difficult.

  • The Bluetooth chipset installed in popular models from major manufacturers is vulnerable. Hackers could use it to initiate calls and eavesdrop on devices.

    Source

    Alright now how do I test this out

  • The Bluetooth chipset installed in popular models from major manufacturers is vulnerable. Hackers could use it to initiate calls and eavesdrop on devices.

    Source

    What is that site asking me to agree to? No thanks

  • There's lots of money to be made by inserting a hardware back door in your product then later disclosing it as an unfixable vulnerability and force your customers to buy new hardware which has the same but different backdoor. Repeat.

    Thanks, I hate it. Vulnerable to your competitor red teaming it tho...

  • I mean, there were legitimate technical issues with the standard, especially on smartphones, which is where they really got pushed out. Most other devices do have headphones jacks. If I get a laptop, it's probably got a headphones jack. Radios will have headphones jacks. Get a mixer, it's got a headphones jack. I don't think that the standard is going to vanish anytime soon in general.

    I like headphones jacks. I have a ton of 1/8" and 1/4" devices and headphones that I happily use. But they weren't doing it for no reason.

    • From what I've read, the big, driving one that drove them out on smartphones was that the jack just takes up a lot more physical space in the phone than USB-C or Bluetooth. I'd rather just have a thicker phone, but a lot of people don't, and if you're going all over the phone trying to figure out what to eject to buy more space, that's gonna be a big target. For people who do want a jack on smartphones, which invariably have USB-C, you can get a similar effect to having a headphones jack by just leaving a small USB-C audio interface with a headphones jack on the end of your headphones (one with a passthrough USB-C port if you also want to use a USB-C port for other things).

    • A second issue was that the standard didn't have a way to provide power (there was a now-dead extension from many years back that is now dead, IIRC for MD players, that let a small amount of power be provided with an extra ring). That didn't matter for a long time, as long as your device could put out a strong enough signal to drive headphones of whatever impedance you had. But ANC has started to become popular now, and you need power for ANC. This is really the first time I think that there's a solid reason to want to power headphones.

    • The connection got shorted when plugging things in and out, which could result in loud sound on the membrane.

    • USB-C is designed so that the springy tensioning stuff that's there to keep the connection solid is on the (cheap, easy to replace) cord rather than the (expensive, hard to replace) device; I understand from past reading that this was a major reason that micro-USB replaced mini-USB. Instead of your device wearing out, the cord wears out. Not as much of an issue for headphones as mini-USB, but I think that it's probably fair to say that it's desirable to have the tensioning on the cord side.

    • On USB-C, the right part breaks. One irritation I have with USB-C is that it is...kind of flimsy. Like, it doesn't require that much force pushing on a plug sideways to damage a plug. However --- and I don't know if this was a design goal for USB-C, though I suspect it was --- my experience has been that if that happens, it's the plug on the (cheap, easy to replace) cord that gets damaged, not the device. I have a television with a headphones jack that I destroyed by tripping over a headphones cord once, because the headphones jack was nice and durable and let me tear components inside the television off. I've damaged several USB-C cables, but I've never damaged the device they're connected to while doing so.

    On an interesting note, the standard is extremely old, probably one of the oldest data standards in general use today; the 1/4" mono standard was from phone switchboards in the 1800s.

    EDIT: Also, one other perk of using USB-C instead of a built-in headphones jack on a smartphone is that if the DAC on your phone sucks, going the USB-C-audio-interface route means that you can use a different DAC. Can't really change the internal DAC. I don't know about other people, but last phone I had that did have an audio jack would let through a "wub wub wub" sound when I was charging it on USB off my car's 12V cigarette lighter adapter --- dirty power, but USB power is often really dirty. Was really obnoxious when feeding my car's stereo via its AUX port. That's very much fixable by putting some filtering on the DAC's power supply, maybe needs a capacitor on the thing, but the phone manufacturer didn't do it, maybe to save space or money. That's not something that I can go fix. I eventually worked around it by getting a battery-powered Bluetooth receiver that had a 1/8" headphones jack, cutting the phone's DAC out of the equation. The phone's internal DAC worked fine when the phone wasn't charging, but I wanted to have the phone plugged in for navigation stuff when I was driving.

    Honestly I'd be happy with a phone sporting two USB C ports, one centered and one off to the side where the headphone jack used to be, both fully functional.

  • The Bluetooth chipset installed in popular models from major manufacturers is vulnerable. Hackers could use it to initiate calls and eavesdrop on devices.

    Source

    The site wants to share info with advertisers. I found this to be refreshingly honest.

    We and our up to 185 partners use cookies and tracking technologies. Some cookies and data processing are technically necessary, others help us to improve our offer and operate it economically...

    Anyway, can we get an archive link?

  • I mean, there were legitimate technical issues with the standard, especially on smartphones, which is where they really got pushed out. Most other devices do have headphones jacks. If I get a laptop, it's probably got a headphones jack. Radios will have headphones jacks. Get a mixer, it's got a headphones jack. I don't think that the standard is going to vanish anytime soon in general.

    I like headphones jacks. I have a ton of 1/8" and 1/4" devices and headphones that I happily use. But they weren't doing it for no reason.

    • From what I've read, the big, driving one that drove them out on smartphones was that the jack just takes up a lot more physical space in the phone than USB-C or Bluetooth. I'd rather just have a thicker phone, but a lot of people don't, and if you're going all over the phone trying to figure out what to eject to buy more space, that's gonna be a big target. For people who do want a jack on smartphones, which invariably have USB-C, you can get a similar effect to having a headphones jack by just leaving a small USB-C audio interface with a headphones jack on the end of your headphones (one with a passthrough USB-C port if you also want to use a USB-C port for other things).

    • A second issue was that the standard didn't have a way to provide power (there was a now-dead extension from many years back that is now dead, IIRC for MD players, that let a small amount of power be provided with an extra ring). That didn't matter for a long time, as long as your device could put out a strong enough signal to drive headphones of whatever impedance you had. But ANC has started to become popular now, and you need power for ANC. This is really the first time I think that there's a solid reason to want to power headphones.

    • The connection got shorted when plugging things in and out, which could result in loud sound on the membrane.

    • USB-C is designed so that the springy tensioning stuff that's there to keep the connection solid is on the (cheap, easy to replace) cord rather than the (expensive, hard to replace) device; I understand from past reading that this was a major reason that micro-USB replaced mini-USB. Instead of your device wearing out, the cord wears out. Not as much of an issue for headphones as mini-USB, but I think that it's probably fair to say that it's desirable to have the tensioning on the cord side.

    • On USB-C, the right part breaks. One irritation I have with USB-C is that it is...kind of flimsy. Like, it doesn't require that much force pushing on a plug sideways to damage a plug. However --- and I don't know if this was a design goal for USB-C, though I suspect it was --- my experience has been that if that happens, it's the plug on the (cheap, easy to replace) cord that gets damaged, not the device. I have a television with a headphones jack that I destroyed by tripping over a headphones cord once, because the headphones jack was nice and durable and let me tear components inside the television off. I've damaged several USB-C cables, but I've never damaged the device they're connected to while doing so.

    On an interesting note, the standard is extremely old, probably one of the oldest data standards in general use today; the 1/4" mono standard was from phone switchboards in the 1800s.

    EDIT: Also, one other perk of using USB-C instead of a built-in headphones jack on a smartphone is that if the DAC on your phone sucks, going the USB-C-audio-interface route means that you can use a different DAC. Can't really change the internal DAC. I don't know about other people, but last phone I had that did have an audio jack would let through a "wub wub wub" sound when I was charging it on USB off my car's 12V cigarette lighter adapter --- dirty power, but USB power is often really dirty. Was really obnoxious when feeding my car's stereo via its AUX port. That's very much fixable by putting some filtering on the DAC's power supply, maybe needs a capacitor on the thing, but the phone manufacturer didn't do it, maybe to save space or money. That's not something that I can go fix. I eventually worked around it by getting a battery-powered Bluetooth receiver that had a 1/8" headphones jack, cutting the phone's DAC out of the equation. The phone's internal DAC worked fine when the phone wasn't charging, but I wanted to have the phone plugged in for navigation stuff when I was driving.

    I know someone who works somewhat high up at Apple and he told me another reason was that they really wanted to improve the water proofing.

  • I never have it enabled unless I am in the car driving and need driving directions or listening to music/podcasts. I prefer wired headphones, but manufacturers are making that difficult.

    Because they can't sell you more Bluetooth crap if they give you a choice.

    Stop buying no-Jack phones.

  • What is that site asking me to agree to? No thanks

    GDPR. First time opening a European website? German ones like this are particularly transparent (by law, not choice).

  • The Bluetooth chipset installed in popular models from major manufacturers is vulnerable. Hackers could use it to initiate calls and eavesdrop on devices.

    Source

    Sounds like the attack scenario is very sophisticated and targeted, and only works within the range of Bluetooth low energy (BLE) connectivity, so 10-15 meters under best circumstances. At that point they might as well eavesdrop on my calls in person.

  • The site wants to share info with advertisers. I found this to be refreshingly honest.

    We and our up to 185 partners use cookies and tracking technologies. Some cookies and data processing are technically necessary, others help us to improve our offer and operate it economically...

    Anyway, can we get an archive link?

    It’s strange to think about how complicit the public has become with this. You mean to tell me that 185 separate connections to other companies are required for me to… read an article?

  • I know someone who works somewhat high up at Apple and he told me another reason was that they really wanted to improve the water proofing.

    That's just gaslighting. Other phones had audio jacks, water protection, and you didn't have to hold them funny.

    My bro is a huge apple kool-aid guy and he spouts their dogma word-for-word.

  • It’s strange to think about how complicit the public has become with this. You mean to tell me that 185 separate connections to other companies are required for me to… read an article?

    Well yeah, they have to hoard your advertising data somehow. How else can they advertise things that you don't need to buy?

  • you can just permanently connect your headphones to your dongle

    No. Fuck that. My PC has a headphone jack, and I use it. I don't have a bunch of extra USB-C ports on the front of my computer. Modern phones have plenty of spaces for headphone jacks. They could put it there, they just don't want to.

    I used a USB connection through my KVM to connect to one computer or the next. But it's just something to plug my headphones into the 3.5mm jack.

    Since it never gets unplugged, it doesn't get lost; unlike all those "just have this snowflake dongle in one of all of your stuff so it can get lost monthly and you can buy another" people.

    Again: my startac 7800 had a jack and it was tiny. Apple and Samsung have NO EXCUSE.

  • Or public transit. Or public parks. Or grocery stores.

    Yesss. Find that sploit and please let it never be fixable. I didn't download a copy of The Wheels On The Bus for nothing.

  • Sounds like the attack scenario is very sophisticated and targeted, and only works within the range of Bluetooth low energy (BLE) connectivity, so 10-15 meters under best circumstances. At that point they might as well eavesdrop on my calls in person.

    Directional antennas exist and are very inexpensive

  • The site wants to share info with advertisers. I found this to be refreshingly honest.

    We and our up to 185 partners use cookies and tracking technologies. Some cookies and data processing are technically necessary, others help us to improve our offer and operate it economically...

    Anyway, can we get an archive link?

    Instead of hacking Bluetooth, sounds more effective to be an "advertising partner".

  • The site wants to share info with advertisers. I found this to be refreshingly honest.

    We and our up to 185 partners use cookies and tracking technologies. Some cookies and data processing are technically necessary, others help us to improve our offer and operate it economically...

    Anyway, can we get an archive link?

    You can get/make your own archive link by going to archive.ph and entering the article's URL.

    Here's the link for this one: https://archive.ph/wUAQn

  • The Bluetooth chipset installed in popular models from major manufacturers is vulnerable. Hackers could use it to initiate calls and eavesdrop on devices.

    Source

    Archive link: archive.ph/wUAQn

  • Sounds like the attack scenario is very sophisticated and targeted, and only works within the range of Bluetooth low energy (BLE) connectivity, so 10-15 meters under best circumstances. At that point they might as well eavesdrop on my calls in person.

    Honey i got to go there is a man outside our window with a lapton and an radio antenna
    "Ignore the man outside your window and just read off your credit card number

  • 57 Stimmen
    5 Beiträge
    5 Aufrufe
    S
    Imbezzled. Money was used to pay for somebody's vacation.
  • Deep Dive on Google's TPU (Tensor Processing Unit)

    Technology technology
    1
    45 Stimmen
    1 Beiträge
    4 Aufrufe
    Niemand hat geantwortet
  • 386 Stimmen
    9 Beiträge
    9 Aufrufe
    C
    Melon Usk doomed their FSD efforts from the start with his dunning-kruger-brain take of "humans drive just using their eyes, so cars shouldn't need any sensors besides cameras." Considering how many excellent engineers there are (or were, at least) at his companies, it's kind of fascinating how "stupid at the top" is just as bad, if not worse, than "stupid all the way down."
  • 479 Stimmen
    81 Beiträge
    34 Aufrufe
    douglasg14b@lemmy.worldD
    Did I say that it did? No? Then why the rhetorical question for something that I never stated? Now that we're past that, I'm not sure if I think it's okay, but I at least recognize that it's normalized within society. And has been for like 70+ years now. The problem happens with how the data is used, and particularly abused. If you walk into my store, you expect that I am monitoring you. You expect that you are on camera and that your shopping patterns, like all foot traffic, are probably being analyzed and aggregated. What you buy is tracked, at least in aggregate, by default really, that's just volume tracking and prediction. Suffice to say that broad customer behavior analysis has been a thing for a couple generations now, at least. When you go to a website, why would you think that it is not keeping track of where you go and what you click on in the same manner? Now that I've stated that I do want to say that the real problems that we experience come in with how this data is misused out of what it's scope should be. And that we should have strong regulatory agencies forcing compliance of how this data is used and enforcing the right to privacy for people that want it removed.
  • 465 Stimmen
    133 Beiträge
    50 Aufrufe
    B
    If an industry can't survive without resorting to copyright theft then maybe it's not a viable business. Imagine the business that could exist if only they didn't have to pay copyright holders. What makes the AI industry any different or more special?
  • Apple Eyes Move to AI Search, Ending Era Defined by Google

    Technology technology
    2
    10 Stimmen
    2 Beiträge
    9 Aufrufe
    ohshit604@sh.itjust.worksO
    It’s infuriating that Safari/Apple only allows me to choose from five different search engines. I self-host my own SearXNG instance and have to use a third-party extension to redirect my queries.
  • Microsoft's AI Secretly Copying All Your Private Messages

    Technology technology
    4
    1
    0 Stimmen
    4 Beiträge
    12 Aufrufe
    S
    Forgive me for not explaining better. Here are the terms potentially needing explanation. Provisioning in this case is initial system setup, the kind of stuff you would do manually after a fresh install, but usually implies a regimented and repeatable process. Virtual Machine (VM) snapshots are like a save state in a game, and are often used to reset a virtual machine to a particular known-working condition. Preboot Execution Environment (PXE, aka ‘network boot’) is a network adapter feature that lets you boot a physical machine from a hosted network image rather than the usual installation on locally attached storage. It’s probably tucked away in your BIOS settings, but many computers have the feature since it’s a common requirement in commercial deployments. As with the VM snapshot described above, a PXE image is typically a known-working state that resets on each boot. Non-virtualized means not using hardware virtualization, and I meant specifically not running inside a virtual machine. Local-only means without a network or just not booting from a network-hosted image. Telemetry refers to data collecting functionality. Most software has it. Windows has a lot. Telemetry isn’t necessarily bad since it can, for example, help reveal and resolve bugs and usability problems, but it is easily (and has often been) abused by data-hungry corporations like MS, so disabling it is an advisable precaution. MS = Microsoft OSS = Open Source Software Group policies are administrative settings in Windows that control standards (for stuff like security, power management, licensing, file system and settings access, etc.) for user groups on a machine or network. Most users stick with the defaults but you can edit these yourself for a greater degree of control. Docker lets you run software inside “containers” to isolate them from the rest of the environment, exposing and/or virtualizing just the resources they need to run, and Compose is a related tool for defining one or more of these containers, how they interact, etc. To my knowledge there is no one-to-one equivalent for Windows. Obviously, many of these concepts relate to IT work, as are the use-cases I had in mind, but the software is simple enough for the average user if you just pick one of the premade playbooks. (The Atlas playbook is popular among gamers, for example.) Edit: added explanations for docker and telemetry
  • 0 Stimmen
    7 Beiträge
    12 Aufrufe
    V
    Just downloaded it, thanks for the info!