If I pair my Android phone and my laptop, I can share files over Bluetooth from the phone to the laptop. I’ve started finding this a really convenient method for me to send files to a Linux laptop without needing to install a separate app on either the phone or my laptop. Especially when I’m away from my home network (I use SFTP at home).

How secure is this? Is there encryption by default and could someone else nearby with a receiver potentially decode the file you’re sending?

  • Nursery2787@lemmy.mlEnglish
    1·
    2 hours ago

    Bluetooth is very insecure. Almost all the security comes from needing devices to be close together. And even the latest standards/devices won’t be that secure because the goal of the tech is simple easy connections with low latency. Encrypting your music stream would piss away battery power while you listen to Trump ASMR.

    As others have said, there are plenty of downgrade attacks unless your devices are basically the latest and the protocol is set to encrypted file sharing.

    You mention an android phone and a Linux laptop. If you’re worried about security then use a usb cable as the gold standard, or transfer encrypted files only. If you like convenience then just look around you for anybody suspicious.

  • catloaf@lemm.eeEnglish
    181·
    3 days ago

    It is extremely unlikely that there would be a motivated enough attacker to target you. And if someone is not targeting you, but just attacking everyone in range, it’s unlikely the files you are transferring are of any value to them.

      • SkyezOpen@lemmy.world
        11·
        3 days ago

        Nobody sane is transferring legendary pepes unencrypted over Bluetooth. I use an encrypted USB delivered by courier with key provided upon proof of receipt (and payment, of course). Other than that they stay on an airgapped machine or cold storage.

  • ArbiterXero@lemmy.world
    192·
    3 days ago

    It’s actually entirely horse shit.

    Only the very newest products that are on the latest standard are secure.

    It all look secure and sounds secure and feels secure with all the encryption….

    But about 2 years ago there was a downgrade attack that was proven to affect basically everything.

    Bluetooth security might as well be a flashing neon sign of your data.

    Now it’s not quite that simple and some people have updated their devices etc……

    But almost nobody actually has done that because Bluetooth devices are “fire and forget”

    I mean when’s the last time you updated the firmware on your headphones or keyboard?

    Mostly “never”

      • ArbiterXero@lemmy.world
        1·
        2 days ago

        The firmware on the devices likely isn’t updated much by the manufacturers.

        So “it really depends”

        Unfortunately unlike WiFi, the encryption is built into the firmware in ways that don’t update much because they make everything backwards compatible so you don’t notice.

      • SkyezOpen@lemmy.world
        22·
        3 days ago

        Android will update and restart your shit without consent at night so your phone doesn’t fully boot and your alarm doesn’t go off. Ask how I know.

        • ERROR: Earth.exe has crashed@lemmy.dbzer0.comEnglish
          2·
          3 days ago

          There’s a way (at least on samsung) to disable auto updates.

          Turn off “Auto update over wifi”, then mark all wifi networks as “metered”. Voila! The system will treat wifi as mobile data and not auto download the update.

          Btw, in modern android versions, alarm will work in BFU (Before First Unlock) mode if you use the system clock app. (third-party alarm apps will not work in BFU mode Actually, third-party alarm apps do work)

    • Nighed@feddit.ukEnglish
      2·
      3 days ago

      You have to be pretty close to sniff Bluetooth data though. So fine at home, less so in a busy public space. (The chances of someone there trying to hack your Bluetooth is still astranomically small)

      • ArbiterXero@lemmy.world
        4·
        2 days ago

        Low odds because “you aren’t worth the effort required” agreed.

        But the distance officially is like 33 feet to 300 feet depending on the adapter.

  • lorty@lemmygrad.ml
    1·
    2 days ago

    It’s alright but if you really want it to be private, specially when in a public space, you should use a cable. It would be faster too.

  • kekmacska@lemmy.zipEnglish
    72·
    3 days ago

    How can you send files over bluetooth when you are not home? You are confusing it with something else. Bluetooth has a 10 meter radius. Also, it is not secure at all, if you send important files and suspect that someone might be eavesdropping within 10 meters, don’t use it

    • Nighed@feddit.ukEnglish
      12·
      3 days ago

      … I assume they have both the phone and laptop with them when they are away from home?

      • llii@discuss.tchncs.de
        4·
        3 days ago

        No, thanks:

        It uses a WebRTC peer-to-peer connection. WebRTC needs a signaling server that is only used to establish a connection. The server is not involved in the file transfer.

        If your devices are paired and behind a NAT, the PairDrop TURN Server is used to route your files and messages.

        • Deckweiss@lemmy.world
          2·
          3 days ago

          What’s so bad about servers?

          Both are open source.

          The signaling server just sees the IPs of your devices and matches them by roomID.

          The turn server sees only locally encrypted files and your IPs (and it is used only IF you are behind a NAT).

          As far as I see, there is no way for anything bad happening, but I am happy to learn if you know something. If you need it for a proof, I’d gladly give you some of my IPs and encrypted files - see what you can do with them.

          • llii@discuss.tchncs.de
            2·
            2 days ago

            My concern is has more to do with metadata, wich can be collected. If there’s a local alternative or a self-hosted one for something, I’m more inclined to use these than something that depends on a third party.

            • Deckweiss@lemmy.world
              31·
              2 days ago

              The file does not get uploaded to remote servers. It passes through them, fully encrypted, and the server does not have the keys to decrypt your files.

              • kekmacska@lemmy.zipEnglish
                1·
                17 hours ago

                If it passes through, that means it is present on the server’s storage, even if for a short period of time

                • Deckweiss@lemmy.world
                  1·
                  14 hours ago

                  All your data and traffic passes through various routers and servers (both of which are computers and have memory) while you do anything on the internet (You can find the list of such computers by doing a traceroute). But because it is end to end encrypted - you don’t care.

  • Natanael@slrpnk.net
    81·
    3 days ago

    It is encrypted, but the security of the encryption varies between implementations (some have been found to generate keys insecurely or screw up session management, etc). For most modern devices it’s decent, as long as you’re not actively targeted by some kind of intel agency

  • Telorand@reddthat.com
    2·
    3 days ago

    I’ve been using Flying Carpet, and it works pretty well. You can read about the encryption decisions further down the ReadMe.

    https://github.com/spieglt/FlyingCarpet?tab=readme-ov-file

    It utilizes the LocalOnlyHotspot API, and the data is encrypted in transit (and any potential hacker would have to be on the WPA2-protected network that’s generated, anyway). I recommend reading more about it yourself and not just taking my word for it.