It Was Harder to Sniff Bluetooth Through My Mask During The Pandemic


August 24, 2023




Track 1

During the pandemic I took up Bluetooth (BT) sniffing as a way to get out of the house. I didn’t know what was out there for BT devices, but it felt important to know what the implications were of the new over-the-air, no-auth, cross-device, firmware-level exploits on BT chips that my wife and others had started publishing. And because BT Low Energy specifically added anti-tracking functionality that didn’t exist in BT classic, I wanted to understand the in-the-wild state of privacy protection within the BT ecosystem.

Bluedriving left me with questions that are different from those you’d ask based on traditional WiFi wardriving. Is there a correlation between poverty, obesity, and BT sleep apnea medical devices? What are the implications of BT on police body cameras? Are BT sniffers going to be (/ already) used as alternatives to license plate cameras for tracking vehicles? Are fitness trackers still making it easy to track humans instead? Can someone steal heavy-construction equipment thanks to BT keyless ignition? Can hackers be tracked by their “portable multi-tool[s]”? Do hotels using BT door locks “open the door” to easier assassinations?

In this talk I will describe some of the most interesting observations from the past few years, and share some perhaps-surprising answer to those questions and more.



Xeno began leading Windows kernel-mode rootkit detection and defense research projects at MITRE in 2009, before moving into research on BIOS security in 2011. His team’s first public talks started appearing in 2013, which led to a flurry of presentations on BIOS-level vulnerabilities up through 2014. In 2015 he co-founded LegbaCore.

And after presenting a firmware worm that could spread between Macs via Apple’s EFI-based BIOS and Thunderbolt Ethernet adapters, he ended up working for Apple. There he worked on securing all the lesser-known firmwares on Macs and peripherals – everything from 3rd party GPUs to SecureBoot for monitors! He also worked on the x86-side of the T2 SecureBoot architecture, and his final project was leading the M1 SecureBoot architecture – being directly responsible for designing a system that could provide iOS-level security, while still allowing customer choice to trust arbitrary non-Apple code such as Linux bootloaders. He left Apple in Dec 2020 after the M1 Macs shipped, so he could work full time on OpenSecurityTraining2