Stealtooth: Breaking Bluetooth Security Abusing Silent Automatic Pairing

TL;DR

Stealtooth uncovers vulnerabilities in automatic Bluetooth pairing that allow silent hijacking and man-in-the-middle attacks, demonstrating widespread issues across devices and proposing security enhancements.

Contribution

This paper introduces Stealtooth, a novel attack exploiting automatic pairing vulnerabilities in commercial Bluetooth devices, with practical demonstrations and proposed defenses.

Findings

Widespread vulnerabilities in Bluetooth automatic pairing

Silent hijacking achievable with commodity hardware

Effective man-in-the-middle attacks demonstrated

Abstract

Bluetooth is a pervasive wireless communication technology used by billions of devices for short-range connectivity. The security of Bluetooth relies on the pairing process, where devices establish shared long-term keys for secure communications. However, many commercial Bluetooth devices implement automatic pairing functions to improve user convenience, creating a previously unexplored attack surface. We present Stealtooth, a novel attack that abuses unknown vulnerabilities in the automatic pairing functions in commercial Bluetooth devices to achieve completely silent device link key overwriting. The Stealtooth attack leverages the fact that Bluetooth audio devices automatically transition to pairing mode under specific conditions, enabling attackers to hijack pairing processes without user awareness or specialized tools. We also extend the attack into the MitM Stealtooth attack, combining automatic pairing abuse with power-saving mode techniques to enable man-in-the-middle attacks. We evaluate the attacks against 10 commercial Bluetooth devices from major manufacturers, demonstrating widespread vulnerabilities across diverse device types and manufacturers. Our practical implementation requires only commodity hardware and open-source software, highlighting the low barrier to entry for attackers. We propose defenses both device and protocol levels, including enhanced user notifications and standardized automatic pairing guidelines. Our findings reveal a critical tension between security and usability, showing that current automatic pairing implementations create systematic vulnerabilities. We responsibly disclosed our findings to affected vendors, with several already releasing patches.