Most of us leave the Bluetooth on 24 hours a day7 days a week. Overall, why turn it off if you need it at any time for your headphones, car or smartwatch, right? Mistake. What few people know is that having Bluetooth activated at all times turns your phone into an open door for hackers. And worst of all: Stealing your information via Bluetooth is much easier than you imagine.
We’re not talking about science fiction or spy movies. We are talking about real and documented vulnerabilities, with proper names, that have affected millions of devices in 2025 and so far in 2026. If you use an iPhone, an Android, AirPods or Sony headphones, keep reading because this interests you.
The three most used Bluetooth attacks to steal your data
When cybersecurity experts talk about Bluetooth threats, they always mention three techniques that have been used by attackers for years, and that are still effective today:
- Bluejacking: the most “harmless” of the three. The attacker connects to your device and sends you messages or advertisements without your authorization. Annoying, but not that serious.
- Bluesnarfing: Here things get serious. This attack allows someone to download content from your cell phone without you realizing itincluding contacts, photos, messages and passwords. All this using the OBEX protocol, which is normally used to exchange contact cards. The attacker does not send you anything, he simply “pulls” the files from your phone.
- Bluebugging: the most dangerous of all. With this technique, the hacker can take partial control of your phone: make calls, send messages, activate the microphone or access your location. The attacker spoofs the name of the Bluetooth device to trick your phone into pairing again, allowing them to intercept traffic and gain access to the system.
What makes these attacks especially alarming is that the attacker only needs to be about 10 meters away of your device. In a cafe, on the subway, in an airport or in a shopping center, anyone can be a target.
Vulnerabilities that leave your device exposed
If you thought that these threats were a thing of the past, the news of recent months will surprise you. In 2025, researchers from security firm ERNW discovered three critical vulnerabilities (CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702) in Bluetooth chips from Airohawhich are present in dozens of popular headphones such as the Sony WF-1000XM5, JBL Dwell Buds 3, Marshall ACTON III, Jabra and Bose, among others.
How serious was this? As researcher Dennis Heinze summarized it: “Any vulnerable device can be compromised if the attacker is within Bluetooth range. That is the only precondition”. Without the need for the user to accept anything, without clicking on any link, without any interaction.
Furthermore, in January 2026, a vulnerability named WhisperPair (CVE-2025-36911)which affects the Google Instant Pair protocol and exposes hundreds of millions of Bluetooth accessories from brands such as Sony, JBL, Xiaomi, Nothing, OnePlusSoundcore, Logitech and Google itself. This flaw allows attackers to force pair with your device without your authorization, allowing them to then listen to conversations, track your location, and hijack calls.
And to top it all off, in September 2025 it was documented CVE-2025-48539a “zero-click” exploit for Android that acts through Bluetooth by exploiting a race condition in the system kernel. That is, the attacker doesn’t need you to do anything at all: It just needs your Bluetooth to be on and be close to you.
How easy is it to get hacked over Bluetooth
The awkward answer is: pretty easy. You don’t have to be an elite hacker to carry out some of these attacks. There are publicly available tools, forum tutorials, and entire communities dedicated to exploiting these vulnerabilities. The only basic technical requirement for most of these attacks is to be physically close to the victimwhich in a city like Caracas or in any busy public space does not represent any obstacle.
Additionally, wireless threats are growing at an alarming rate. According to a Bastille Networks report from March 2026, Wireless vulnerabilities are doubling every few yearsincreasing 20 times faster than the entire long-established number of reported vulnerabilities.
So what can you do to protect yourself? Here are the most practical tips:
- Turn off Bluetooth when you are not using it. It seems obvious, but it is the most effective. If you don’t need it at the moment, disable it.
- Always keep firmware updated of your hearing aids and the operating system of your cell phone. Many of the vulnerabilities mentioned already have patches available.
- Avoid connecting your phone to unknown devices. If your phone asks you to pair with something you don’t recognize, reject the request immediately.
- Do not use “visible to all” mode in public places. Some older devices turn it on by default, making you a much easier target.
- Usaa. hearing aids with updated firmware. Check if your model appears on the lists of devices affected by the Airoha or WhisperPair vulnerabilities.
At the end of the day, Bluetooth is an incredibly useful technology, but like any front door, if you leave it open unnecessarily, you’re inviting anyone in. The good news is that protecting yourself is as easy as turning off a button when you don’t need it.. Is it worth the risk just to not have to activate it again? Clearly not.
Keep reading:
• Security flaw discovered in Bluetooth headphones that allows hackers to hijack your device
• Bluetooth is a thing of the past: this is how the hearing aids of the future will work
• What is Bluetooth 5.3 and how it can improve the experience when listening to music with headphones
