Can the headphone or earbud (Bluetooth or wired) transmit malicious code, virus, Trojan or any kind of malware from computer to computer?

I have an old computer and I am sure it has Trojan or malicious code but after that i bought new one the problem is i did not change my old headphone that used in my old computer and i plugged it in the new computer so are there any problem to use my old headphone ? and thank you

Can people hack your iPhone Via Bluetooth if you leave it on?

I leave in an apartment complex with lots of people and often times, I would be able to see Bluetooth devices that do not belong to me on my iPhone or MacBook when I search for my Bluetooth device. Does Apple Tell you/ask by default before someone with Bluetooth devices tries to Connect to your phone via Bluetooth? Or is this A potential security Vulnerability to leave your iPhone Bluetooth on at all times? (I do since I use AirPods)

I don’t remember setting or seeing any options to set Bluetooth permission on my iphone which makes me nervous.

Thank you!

Can Bluetooth “headphones” be malicious?

I received a parcel from Amazon which I did not order, addressed to me. It contained Bluetooth earphones. It may just be part of a brushing scam, but it’s got me curious.

So my question is.. Could a Bluetooth device be disguised as earphones and actually contain malware?

When attempting to connect my phone it appears as an audio device but prompts me to “Allow access to contacts and call history”.

Anonimity of Bluetooth tokens

In the context of contact tracing, I have a privacy question.

I have read a few (and “few” is already a bad thing) articles about Bluetooth contact tracing, especially in the context of the Sars-Cov2 pandemic. There are huge privacy concerns in contact tracing.

One solution proposed by reasearchers is to use “changing” device identifiers in order to prevent authorities from tracing an individual’s location history by the usage of beacons in public places or analysis of traces from other devices. The topic is particularly hot in the European Union.

Only question here: regardless of the randomization of the device ID transmitted via Bluetooth, is it already possible to listen for Bluetooth MAC addresses to identify a single device?

Example scenario: in a world where smartphone owners are encouraged to use a legitimate government-powered app (supposed that the government is democratic), a rogue vendor with a large market rate may push a malicious Bleutooth app into their consumer’s phones (a large user base who just clicks on “accept” anything). The malicious app continuosuly scans for Bluetooth MAC identifiers to report home. The addresses are potentially georeferenced. Deanonimyzation might occur.

So far, I have always learned to keep my Bluetooth invisible while I don’t need it and possibly turned off to save battery.

A country or continent-wide contact tracing scheme might be a good excuse to keep Bluetooth on and available for scan.

Question is: what am I getting wrong?

Why are some Bluetooth devices susceptible to ping floods and some are not?

Just for fun, I’ve ping flooded my bluetooth speaker at home using l2ping on Linux and I was unable to connect to it as the pinging continued. I’ve tried flooding my phone and it seems to have received the packets as I got a response (just like the responses i got from my speaker), but I was still able to connect it to my laptop and send files in between. So my question is, why are some devices susceptible to such attack and some not? Is there a mechanism used by my phone that my speaker doesn’t use?

Bluetooth LE with Secure Connection and static passkey: This is a bad idea, right?

I am currently looking into how to protect a BLE connection from active attacks (man-in-the-middle) if one of the devices neither has a display nor a keyboard.

Lemberg Solutions suggests this:

Alternatively, the passcode can be shipped together with the devices (on paper or as part of an online purchase), and the user should then manually input it to each separate device.

This can only mean that one device (device A) (most likely one without a keyboard and without a display) has a passkey embedded in the device somewhere. So it is static. This static passkey is also used by the other device (device B) (e.g. entered using keyboard input, via camera, …). The same passkey will be used every time BLE pairing is established with device A.

Am I understanding their suggestion correctly?

My understanding of Secure Connections with passkey is, that each device does the following for each bit of the passkey:

  • create a nonce
  • calculate a confirmation value using: nonce, passkey[i], SK
  • exchange the confirmation values with the other device (send own, receive other)
  • exchange the nonces (send own, receive other)
  • check that the confirmation value of the other device is correct If one of the checks fails, the connection is dropped.

In the case of a man-in-the-middle attack, the attacker can figure out the passkey by “brute-forcing” each bit. After all, there are only two possibilities for each bit.

This is not harmful for the current connection, because the attacker is “too late” to use the passkey. And it is not harmful if a different passkey is used for the next connection. But this is fatal if another connection is made using the same passkey (which is going to happen if a static passkey is used).

So, after the attacker listened to the pairing attempt, she interrupts the connection (e.g. right after the last set of nonces was transmitted). Now she only has to wait until the next connection attempt is made. She can now hijack the whole connection.

Is my assessment of this situation correct and the static passkey is a bad idea or am I overlooking something?

Security risk of leaving bluetooth on all the time on an Android 10 phone

What are the security risks associated with leaving bluetooth on all the time on a Pixel phone updated to Android 10?

In this question, I am NOT focusing on the risks associated with someone intercepting my conversation using a bluetooth headset as an example.

Rather, I am focused on risks of getting malware similar to the bluetooth worm from a few years ago, which didn’t require any pairing to spread.

My understanding was that Android phones are only discoverable when you click the “Pair new device” option from the Bluetooth menu but not sure if malware can spread even if Bluetooth is not discoverable.

I understand that it is ideal to switch bluetooth off but am trying to understand the risk involved with leaving it on.