New Bluetooth Vulnerability Allows Remote Takeover of Devices Within Range

Security researchers at EURECOM have identified a critical Bluetooth vulnerability dubbed "BlueGhost" (CVE-2026-28901) that affects the Bluetooth 5.0 through 5.4 specification and allows attackers within radio range to silently pair with and take control of smartphones, laptops, and IoT devices without any user interaction.

The vulnerability exploits a flaw in the Bluetooth Secure Simple Pairing (SSP) protocol's key negotiation process. An attacker can force a target device to accept a pairing request by manipulating the authentication stage of the SSP handshake, bypassing the user confirmation step entirely.

Testing revealed that the vulnerability affects devices from all major manufacturers including Apple (iPhones, Macs, AirPods), Samsung, Google Pixel, Microsoft Surface, and most Bluetooth-enabled IoT devices. An estimated 4.5 billion devices worldwide are potentially affected.

The Bluetooth Special Interest Group (SIG) has published an updated specification that addresses the vulnerability, but deploying the fix requires firmware updates from individual device manufacturers. Apple and Google have already released patches in their latest OS updates.

Until patches are available, users are advised to disable Bluetooth when not actively in use and to avoid using Bluetooth in public spaces where an attacker could be within the approximately 100-meter effective range of the attack.