It is increasingly difficult to hide your Bluetooth devices from broadcasting a beacon anymore. Every device seemingly wants to shout to the world to let its presence be known. There is something annoying, not to mention vaguely Orwellian, about how often the plethora of devices one may carry want to let everyone and everything around it know about their presence.
Mac
Disabling discovery on Mac while still using Bluetooth is not too terribly complex. As long as you do not have Bluetooth file sharing enabled in System Preferences -> Sharing, you just have to disable Handoff in System Preferences->General and uncheck “Allow Handoff between this Mac and your iCloud devices“. You can still temporarily be discoverable by opening the Bluetooth control panel for when pairing is necessary. Be aware that if you rely on the Handoff features with this Mac, changing these settings will make Handoff stop functioning correctly.
Windows
On Windows, it seems much trickier. Windows versions before 10 had two checkboxes for “Allow to discover…” and “Allow to connect…” – it seems the “allow to discover” option was removed from Windows 10. I’ve seen some Internet guides on using PowerShell or the Windows Registry to disable discoverability. So far none of these ideas seem to work.
On Windows 11, they even tease you with a dialog that makes it look so simple.
Unfortunately, this checkbox seems placebo. One can turn it off, save, close, and the computer is still discoverable. Going back into this setting (Found in Bluetooth and other device settings -> More Bluetooth settings) will show the checkbox is turned on again. I’ve also read through discussions online for Windows 11 to try and disable discovery via Group Policies. No dice there either.
The best way to disable Bluetooth beacons on Windows, is to just disable your Bluetooth module entirely. This is far from an ideal solution.
Phones
Mobile phones of both Android and Apple flavor seem to be better at hiding their identity, at least to scanning computers. However, more frequently these days they have an always-on Bluetooth beacon if certain device finding features are enabled, some of which (especially on Apple products) will even transmit when the phone is turned off.
With Apple products it is a fundamental operation of the AirTag infrastructure. Although one could argue, “why is my phone, battery power, and data plan being used to support their AirTag network?” Even if you personally do not use AirTags, your device is unwittingly an Internet beacon repeater for their products as you walk, bike, or drive around town.
Headphones and Audio Devices
More headphones and audio devices these days live in a soft-pair universe. Especially the wireless earbud type. Turning them on or opening the case for earbuds will transmit their beacon so nearby devices can find them. This is mostly just the behavior of audio devices now, this makes it easier to switch them between your phone, computer, tablet without having to do some button sequence. Turning them off or putting them into their case and closing it does seem mostly successful in stopping transmission.
Health Trackers
Then there are health trackers from Fitbit, Withings, Garmin and other vendors. The fundamental operation of these products leaves a Bluetooth LE beacon on all the time. The only real way to avoid transmitting a beacon is to let the device run dead or not wear it.
Televisions and Home Electronics
More and more, “smart” televisions, cable boxes, streaming devices, and home multimedia devices like speakers all broadcast Bluetooth beacons. Even some furniture, smoke alarms, and appliances. These are ostensibly stationary devices in your home, so personal privacy is not such an issue. However, what if the burglar of tomorrow can just drive through a neighborhood to map all the devices worth stealing? We are basically at that point now. My neighbor’s 65″ flatscreen TV proudly broadcasts what and where it is 24/7. With a simple Bluetooth scanner, one can gather a manifest of devices in surrounding homes in a few moments.
Does it Matter?
As we live in an increasingly connected world, does it even matter that your devices are broadcasting beacons? They add a level of convenience to make working with wireless products less of a hassle.
I would argue that it does matter. Any device broadcasting a beacon to the world can be tracked. A device worn on one’s person is basically saying, “hey, here is the person!” everywhere one goes. Going a step further, if the device has exploitable software bugs, it can then become an attack vector to hack, while announcing its presence the whole time.
In previous years, it has been revealed that WiFi MAC address tracking is already commonplace in retailers. The tech industry responded by randomizing WiFi MAC addresses to limit tracking, although this only limits tracking to an individual visit. This would also obviously suggest that there is a large enough, compelling dislike of tracking that major handset manufacturers introduce such a feature for WiFi. Collecting Bluetooth beacons is a way to easily circumvent this, with the proper scanning technology in any space.
Bluetooth devices, especially the pocket/handheld variety, can’t rely on address rotations to function. At least not with the current iteration of Bluetooth. The entire protocol would have to be redesigned to support rotating MAC addresses, and many older devices wouldn’t have a path to be upgraded, which would lead to more e-waste.
It really makes no sense why the current solution is for devices to broadcast unprompted beacons. It is trivial to set up devices that can gather Bluetooth MAC addresses and signal strengths. With this free and open information, triangulating the position of a person, a car, a washing machine is so easy that it is creepy.
There is absolutely no reason for a device to broadcast information about itself all the time.
How could this be fixed?
Bluetooth devices could simply listen for a request from a trusted and paired device, and only then respond. They can ignore other devices otherwise and just stay silent. Algorithms for perfect forward secrecy have already been developed in the cellular space as well as in other sectors such as VPN technology to prevent such queries from being easily tampered with or faked. This also has the benefit of better battery life.
The “Find my device” type of technologies could also be designed around this principle. The device remains silent until a specially-formatted time-limited beacon request is issued. The beacon could be derived from a secondary algorithm from the main pairing algorithm. So the primary device pair remains separately secure and reserved for only the primary paired device. Requesting location of your device could send out beacon requests to an increasing circle of devices. Phones and devices owned by others could still transmit this special time-limited location beacon trigger, and if the lost device is nearby, it would report back. This “lost device” mode could even remain activated on the lost device for a length of time, or until the device is found.
This does lessen the chance of a lost device being found via Bluetooth, but perhaps we should have architected a better method of locating devices in the first place.
What can I do for now?
Until the tech industry improves the privacy of Bluetooth, the best way to avoid unnecessary tracking is to just not use Bluetooth devices. This doesn’t mean give up on use entirely, but limiting one’s exposure. Instead of a smart watch, wear a regular watch. Perhaps only carry one’s fitness tracker when actively exercising. Turn off Bluetooth on one’s computer, phone, and tablet, when not in use. Avoid “connected” appliances when possible, which is a good general rule from a frugality and reliability standpoint as well. A basic tenet of engineering design is: the more complex an appliance is, the higher percentage chance it will break faster, as there is just more things that can break. Instead of a smart TV, buy a large computer monitor. This also adds the advantage of removing any “smart” tracking these televisions would otherwise be able to do, which is another topic entirely.