this post was submitted on 16 Jan 2026
426 points (98.9% liked)
Technology
78880 readers
2776 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
By all means call out if I've misunderstood, but the tracking vulnerability isn't that BLE (by design) makes devices visible to everyone within range, it's that by binding an unclaimed device to an account you gain the ability to look up that device via Google's service, rather than needing to be nearby - you can simply ask Google to call on its global network to find "your" device. In other words, there's nothing stopping me from setting an alert when a given BT device is nearby, that's spot on, but I can't fire up Google to look up that device when I'm not nearby, or look up its location history.
And yes needing to have never been connected to an Android device definitely reduces the victim pool, but (and to address the other reply) I'm guessing it'd mean devices that have only ever been connected to iOS, Linux, Windows etc aren't "claimed" and can still be enrolled by the attacker. It's not about default creds, only having used devices that don't enrol with Google is enough, as it leaves the device available to claim.
3.5mm ftw and all that, but I doubt all the parents of teenagers with potentially vulnerable devices will have much luck convincing their kids to switch!
I understand you've read the comment as a single thing, mainly because it is. However, the BLE part is an additional piece of critique, which is not directly related to this specific exploit; neither is the tangent on the headphone jack "substitution". It's, indeed, this fast pairing feature, which is the subject of the discussed exploit; so you understood that correctly (or I misunderstood it too...).
I'm however of the opinion, BLE being a major attack vector, by design. These are IoT devices that, especially when "find my device" is enabled (which in many cases isn't even optional: "turned off" iPhones for example), do announce themselves periodically to the surrounding mesh, allowing for the precise location of these devices; and therefore also the persons carrying them. If bad actors gain access, to for example Google's Sensorvault (legally in the case of state-actors), or would find ways of building such databases themselves; then I'd argue you're in serious waters. Is it a convenient feature, to help one relocate lost devices? Yes. But this nice-to-have, also comes with this serious downside, which I believe doesn't even near justify the means. Rob Braxman has a decent video about the subject if you're interested.
It's not even a case of kids not wanting to switch, most devices don't even come with 3.5mm jack connectors anymore...
Gotcha, and apologies for missing your point.
I agree 100%, the privacy and security tradeoffs are enormous and concerning.
No worries! :)