Risk of being hacked when just turning off Bluetooth via Control Center on iPhone

At the DefCon 2023 security conference in Las Vegas last week, white hat hacker Jae Bochs intentionally pranked iPhone users at the event with a $70 DIY toolkit that took advantage of Bluetooth LE running in the background to send unwanted notifications to recipients.

While it's meant to be funny, the hacker said it could be used for nefarious purposes, and could even be exploited to steal user passwords.

According to Bochs, users typically turn Bluetooth on or off by swiping down on Control Center. This is convenient and quick, but Bluetooth doesn't turn off completely. Instead, it simply goes into the background.

“That switch doesn't actually turn Bluetooth (or Wi-Fi) off, even though users might think it does,” Bochs says.

This hacker explained that with the above operation, users actually only ask the iPhone to disconnect all directly connected devices. However, the Bluetooth service is still active to identify other Apple devices around. They can only completely turn it off by going to Settings, selecting Bluetooth and switching the switch to Off.

According to Techcrunch, although Bochs’ experiment was a prank, it is entirely possible for a bad actor to exploit this issue. For example, they could send a request to someone else to connect their AppleID or share a password with a nearby Apple TV.

Apple has mentioned Bluetooth and Wi-Fi running in the background when users turn them off in the Control Center on its support page. However, according to security expert Jaime Blasco of Nudge Security, most users still misunderstand, so the company should have a quick shortcut that can completely turn off the above connection.

Apple has not commented.

According to VnExpress