Bluetooth Devices That Spy on You

A few weeks ago, I stopped at a Best Buy store looking for a USB speaker. The package didn’t have much information on it. I had hoped that by making the purchase at a brick and morter type source, that I could read the package to assure to buy something that doesn’t have any microphone. I only needed a speaker and not something that is capable of spying on me.

I found something that looked perfect. The label on the box said “Listen Only”. In the absence of more information on the box, I said to myself, “this is just What I need”.

When I got it home and opened the box, there were instructions inside on how to use an ‘Alexa-like’, service, and how to use it for two-way communications via your cell phone. Apparently the “Listen Only” was just a brand name. What a waste. I got everything I didn’t want, along with the realization that I can’t trust anything that has Bluetooth capabilities.

Does anyone here know a reliable method to find and purchase Bluetooth devices that will not spy on you? Maybe Purism should sell simple things like wireless speakers. I would purchase the wireless speakers that I need from Purism if they were available.

You can look at some of the teardowns on ifixit. They should show if there’s a microphone built in to a speaker.

I feel your pain. I wish Purism would make such a thing too.

Hey Bluetooth, What’s New? : Oh, We Want to Chip You

Hidden Radios in Home Devices (IOT)! The next Cyberthreat

Skynet Went Live June 8! Attn: Alexa Echo and Ring Owners

How About a Home Without Spyware?

Rule One is to avoid any peripheral or IoT thing with the word “smart” in its name.

smart = surveillance

I honestly think that Purism should start selling non-smart devices and accessories, including laptop upgrades for their Librem devices, at a markup in order to make more money to go toward their software development. As long as their store makes it obvious that the markup is necessary for their software development, this would be great for everyone. Instead of needing to trust companies like newegg or others with personal information in order to purchase laptop upgrades like RAM, we could purchase such things directly from Purism. They already sell really nice USB drives. Adding RAM, SSD, wired headphones, etc. would be great.

Has Purism considered this yet, @nicole.faerber

First of all thank you! You pretty much nailed it.

Concerning accessories, yes, that is something we consider of course. RAM/SSDs are usually selected when buying a device, but right, we could also offer these separately for ones who want to upgrade or replace, I will look into that.

As for other real accessories so far we focused on things that fall more into our purview, like the privacy screen filters. Something like headphones is not really something that enhances freedom or privacy and taste e.g. in sound and style are so different, that we tried to stay out of it so far. But maybe we could change that if this is really interesting for customers?

Problem with such SKUs is exactly that, we need to create an SKU, manage that, source the parts, keep stock etc. So it is also actual effort even if we just push items through the door. But yes, we are considering these items and will grow our offering over time.

Thank you for the feedback, very much appreciated!

Cheers
nicole

Thanks for responding Nicole. If Purism were to offer a Bluetooth speaker that might go for $40 on Amazon or for $150 at Best Buy, and mark it up to around $100 with a slightly more powerful audio level and no spying, I would feel good about buying one or more of them and letting Purism make a higher profit margin on it, to also help fund Purism’s social purpose.

Those Alexa-like features that are getting more difficult to avoid in New speakers really creep me out because I know that the speaker device is also hijacking my internet connection to make the voice work and to upload my personal information to who knows where, when all I want is a higher volume level from my laptop.

I work in the semi-conductor business and know that just a chip with Bluetooth capability and a good audio amplifier, and an attractive case (for the most part) would leave room for a larger profit margin. If Purism laptops and phones don’t have especially large speakers, this might also enhance the user experience of those products as well.

I also wanted to say that I do have a hard time justifying in my mind, any mark-up of true “commodity products” (RAM, SSD drives, etc) by Purism. Maybe after I receive my first Purism product (my Librem 5 pre-order), I might order more Purism products after that and get more in to feeling more of a loyalty to Purism and buying commodity products that are marked-up to support the social purpose at that time. The relationship hasn’t gotten there yet. At some point, I might feel better about buying marked-up commodity products (SSD drives, RAM, etc) from Purism. But for now, not so much.

But a unique, otherwise unavailable product that I know I need now and can’t find elsewhere is a totally different story. The example of a secure speaker is just one example. When the speaker (or other unique difficult-to-find secure product) arrives, that is instant gratification (unlike a pre-order), for a reletively low cost product, as opposed to a whole laptop for several hundred to thousands of dollars. A unique, lower-priced product that I know I want now, leaves more room for Purism to mark it up to get a higher margin as an entry-level purchase from a new Purism customer. If I like the wireless speaker (for example), I might even buy a Librem Mini while waiting for my Librem 5.

I am not really sure what kind of Bluetooth speaker you are talking about here?

Simple Bluetooth speakers there are plenty on the market which also do not spy on you, at least I would not know how - I am using e.g. one from Bose and another one from Anker, just plain Bluetooth A2DP speakers.

“Smart” speakers are a different story altogether though, of course. There you might expect assistants and stuff, which e.g. Mycroft tried to do in a free software and non-evil as possible fashion. But that’s a non trivial task and a huge effort on its own.

Cheers
nicole

Pine64 already does some of that.

Bluetooth can be tracked on local space up to 100m. Someone called Bjørn Martin Hegnes tested it. He took his bike and drove 12 days 300km through a city. He catched 1,7 million messages, tracked more then 100 speaker models and could track some individual speakers over days because they had static MACs.

The article I read about is in German, but with translating tools people may can read it: https://netzpolitik.org/2021/tracking-wie-bluetooth-kopfhoerer-unseren-standort-verraten/

Simple Bluetooth speakers seem to be rapidly leaving the market now. If they are out there, I can’t find and identify them. Where they do exist, you can’t tell which ones they are because they are not known by any name that a person would know to look for, in the rare event that the packaging on the product or Amazon write-ups even talk about.

When it comes to having some of them, yes and I have some of them too, that I bought a few years ago. But just try finding some of them to buy new now. Even in Amazon’s Q&A section on any given Bluetooth speaker product, no one cares to ask about privacy. Everyone seems to think of “smart” as a good thing and the latest feature they want. If a seller does have non-smart Bluetooth speakers, they don’t advertise that their product lacks the “smart” features.

So for Bluetooth and traceability there are AFAIK two threats.

1. Bluetooth device is “discoverable”
2. Bluetooth device is a Bluetooth Low Energy (BLE) sometimes also called “Bluetooth Smart” device.

(1) applies to so called “Bluetooth classic” devices. In classic Bluetooth you would normally not be able to see (and thus track) a device unless you either (a) already know it’s MAC address or (b) the device is in “discoverable” mode. So case (a) is not so much a concern for privacy, but (b) can be. Most classic devices need to be deliberately put into discoverable mode. But in the recent years especially consumer electronics wanted to make the pairing process easier and so some of them fall back to discoverable on their own if the paired host is not reachable. Sadly indeed some headphones and eventually also speakers do that (and e.g. also my brand new car is also always discoverable - grrr). So in general, yes, here I’d agree that choosing proper firmware could help here. But many devices also behave well. For example the speakers I mentioned (Bose and Anker) have to be put into discoverable mode using a button, so you have control.

(2) is a bigger problem. BLE has been designed in a way that BLE devices have to advertise themselves, of course including their MAC. They do this in varying time intervals (depending on application) but most of the time as soon as a BLE device becomes active it starts to broadcast these advertisement packets. This is at the very core of the protocol and almost can not be prevented, this is how it is designed. But this only applies to BLE end devices, not for a host that wants to connect to such devices, these hosts stay invisible unless they start to advertise themselves to become visible for others, but this rarely is the case. So your smartphone or laptop or such will usually not advertise itself. But your BLE enabled smartwatch, fitness tracker, smart home appliance etc. all these usually do this, all the time!

And I totally agree, BLE devices are best friends for all three letter agencies! Tracking devices everyone now starts to voluntarily carry around with them all the time. WTH!?

Take a BLE scanner app (or on a Linux device as root do “hcitool lescan”) and sit down in some mall or other crowded public place, you will be blown away by the number of BLE MAC addresses floating by. Even worse BLE has pretty one dimensional pinpointing of devices, i.e. BLE can pretty well guess the distance. Take two receivers and you can triangulate on a line, take three and you have a pretty good idea about where a BLE device is located. BLE devices are dirt cheap so deploying not just three but dozens and hundreds in public spaces is probably the cheapest and most efficient way to trace individuals in large crowds.

Even though there are ways to remedy this a bit by MAC randomization or selective advertisement this does not really help much. And with BT5 this even gets worse, device locating becomes part of the specification.

So yes, these two details I see and should be avoided. But right now I think there are still enough devices on the regular market that do not do this so we do not need to create our own - not yet at least.

Cheers
nicole

Some additional info regarding BLE and IoT devices …

Hey Bluetooth, What’s New? : Oh, We Want to Chip You

Hidden Radios in Home Devices (IOT)! The next Cyberthreat

For my home speakers, I don’t care if they are easy to hack, as long as there is no microphone spying on me, using my internet connection for the device to phone home to whoever is doing the spying. For a pair of dumb Bluetooth speakers, the only people that can hack me would be my immediate neighbors. Without a built-in microphone, all they’ll get is the music that I am listening to. They are welcome to it. But that is entirely different than anyone hearing the conversation in the room too. It’s the microphones, the “smart”, and the internet that pose the problem. Our society has become too “smart” for their own good.

ICYMI: All speakers can be turned into microphones and not just for the music being played in your speakers.

Indeed, This has had me wonder if the mic kill switches ob the librem devices really covers it

Good point. Perhaps there needs to be a speaker kill switch too. Thoughts @nicole.faerber?

That’s IMHO a slippery slope and one needs to be a bit careful here. Yes, of course, in fact a microphone is nothing else as a specialized speaker - or vc.vs. A membrane and some sort of electrical pieces that can translate either electric current into movement of the membrane or vc.vs.

So yes, in theory this is possible. But… the system is not only comprise of that acoustic transducer, there is a lot more to it. Going backward from the speaker first there is an amplifier. The digital/analog (D/A) converter of the audio codec usually can not drive a speaker on its own since a speaker needs power, like real power (in terms of Watt) so that you can hear anything. But these amplifiers are physical units, i.e. not some programmable thing, these are a bunch of transistors with capacitors etc. - and these only work in one direction, they take the weak signal from the D/A and amplify it. These do not work backwards, they simply can’t, there is not current flowing.

Some codecs allow pins to be reconfigured, like muxing on micrcontrollers. You can map inputs and outputs to arbitrary pins. So let’s assume the speakers are connected to pins of the codec that could be turned from output into input. This would not result in any audible signal from the “speakers”, it will not turn the speakers in microphones since the amplifier is still sitting in between and it will not backdrive anything to the input. So unless you can also circumvent the amplifier there is no way to do that.

In current devices, i.e. also our current devices, we use codecs which include the amplifier for the speakers in the codec chip itself. It’s not the most powerful amp (IIRC just .5Watt) but enough to drive the built in speakers. These codecs have dedicated pins for these amplified outputs and these pins, as far as I can see in the codec documentation, can not be reprogrammed as inputs.

This is e.g. the codec used in the Librem14 laptop:

image1069×863 40.5 KB

On the left are the pins 42-45 which drive the speakers, these are dedicated amplified pins not suitable for anything else than driving the built in speakers. Same thing applies to the Librem5 phone (other codec but same principle, amplifier sitting in between which can not be repurposed). The Librem Mini does not even have speakers.

So at least for our devices (and I am pretty sure this applies to most other devices too) turning a built-in speaker into a (spying) microphone is only a theoretical but not a practical problem.

The attack description I have found seems only to apply to some of the other I/O of the codec, e.g. use for line in/out or the headphone jack. I think before we implement another hardware kill switch it is way easier to just advise to unplug your headphones instead…

Cheers
nicole