2/16/2026 at 3:52:14 PM
> We’ve normalised the idea that Bluetooth is always on. Phones, laptops, smartwatches, headphones, cars, and even medical devices constantly broadcast their presence. The standard response to privacy concerns is usually “nothing to hide, nothing to fear.”I guess anything you send out can be used to profile you.
Some of my friends live on a farm near a semi busy road, however far enough from other farms to not be able to receive their wifi. They showed me their router logging all the wifi accesspoints that appear/disappear. There where A LOT of access points named "Audi", "BMW", "Tesla" etc. similar to those devices leaking bluetooth data. We had a discussion that it would be easy to determine who was passing by at what times due to these especially when you can "de-anonymize" the data for example link it to a numberplate.
I believe shopping malls often use such signals (wifi, bluetooth) to track what your travel pattern through the mall is. They know what section of the store you spend most of your time in and what storefronts you stall at.
by trashb
2/16/2026 at 8:57:21 PM
You can do this for much cheaper - all four of your tires are broadcasting a unique ID to report tire pressure, the radio to pick it up is cheap (because cars), and TPMS has no facility to randomize or otherwise secure this.by luma
2/16/2026 at 9:12:13 PM
It’s actually even easier, your car has a plate on the front with a unique ID that a camera scans, often to automatically track your park time for ticketing.I can’t really care about obscure Bluetooth tracking when every business has CCTV doing facial recognition.
by Gigachad
2/17/2026 at 12:34:52 AM
Also, you can read the plate from much farther away than the TPMS sensors.by userbinator
2/17/2026 at 2:11:03 AM
Wait they use this for parking meters?! Which cities?by hammock
2/17/2026 at 2:24:11 AM
I think they’re pretty common.Only reason I know is because I wondered if I could walk to the booth and press the button for a new parking ticket and pay for 5 minutes instead of 4 hours..
by harrall
2/16/2026 at 11:09:11 PM
Yeah exactly, with a car I would no longer be expecting any type of privacy, sadly.Here in Holland we must even have a mobile phone module in every car so it can call the emergencies in case of a crash.
by wolvoleo
2/17/2026 at 1:57:37 AM
It’s all of the EU. It’s literally illegal to sell new cars without a radio transceiver in them.by sneak
2/17/2026 at 3:06:29 AM
But is it illegal to personally disable it?by userbinator
2/16/2026 at 9:08:50 PM
Not all cars have active TPMS. my Volvo xc90 had them but in later models they switched back to passive ones. So it is not even a given for higher end models.by spockz
2/16/2026 at 10:15:11 PM
That's not quite the end of the road, though: The tires themselves often have RFID tags embedded.by ssl-3
2/17/2026 at 12:26:04 AM
much harder to read rfid at a distanceby m-s-y
2/17/2026 at 1:26:20 AM
It is.My read through this document suggests that the maximum usable range may be as far as 5 meters, or as little as 1 meter: https://rfid.michelin.com/wp-content/uploads/2024/07/dataShe...
That's not as far as BLE or TPMS can work at, but it's not exactly like the NFC arrangement in a credit card, either. 5 meters is enough for a motivated attacker to do some undetected bulk data collection.
by ssl-3
2/16/2026 at 10:29:23 PM
I've had trouble reading these from more than a few feet away, but I concede that I have no idea what I'm doingby stirfish
2/16/2026 at 4:38:36 PM
>There where A LOT of access points named "Audi", "BMW", "Tesla" etc.That's one of the funniest things about wardriving with Wigle on your phone. I can often see the SSID of "Jennifer's Equinox", "Jacks Suburban" right after I get cut off by someone in said vehicle. The vast majority of car bluetooth/wifi I see tends to have varying amounts of identifying information. It's almost as bad as the fact that apple still defaults to Jacks iPhone/iPad etc with no option to rename the device until you've finished setting it up.
Companies are not out to protect us with default settings and the majority of users need to wake up to this fact.
by officeplant
2/16/2026 at 5:43:46 PM
This might just be me being uninformed as someone who doesn't drive but how are you seeing what wifi networks are available so quickly right after being cut off? My very naive instinct is that looking at your phone or opening up a menu with the available wifi networks on your car's display seems like it would require a noticeable decrease in attention to the road, so I'd almost expect an uptick in being cut off from other people who are annoyed with your driving.by saghm
2/16/2026 at 6:26:20 PM
Small town, phone is on a dash mounted holder. Sometimes I leave Wigle up just to eye every now and then to see how much crap I'm picking up while war driving.I am not without sin when it comes to driving a car.
by officeplant
2/16/2026 at 7:07:29 PM
What would be next level wardriving would be to break into their Bluetooth and have a conversation about their driving habits.It can be done, relatively easily.
by reactordev
2/17/2026 at 2:55:46 AM
> I believe shopping malls often use such signals (wifi, bluetooth) to track what your travel pattern through the mall is.I worked for a company about 18 years ago where we did just this. We also sold the technology to car dealerships who were very interested in our silent salesman stuff where you could tie interactions with your web campaign directly to the person walking past the dealership and preload the salesman with all their details.
Grubby stuff nearly two decades ago.
by King-Aaron
2/16/2026 at 8:42:48 PM
> I believe shopping malls often use such signals (wifi, bluetooth) to track what your travel pattern through the mall is. They know what section of the store you spend most of your time in and what storefronts you stall atIn the EU this is forbidden unless they explicitly ask your permission. They can still gather aggregate stats but they cannot build a profile on you.
by jorvi
2/16/2026 at 11:27:02 PM
True but I wouldn't put it past them tbh. It's very easy to hide or claim a 'misconfiguration'.Even the airports here track everyone. They say it's for public safety but I'm sure they use it for market analysis for their expensive sandwich shops too.
by wolvoleo
2/16/2026 at 5:41:02 PM
Don't worry about Tesla's being tracked. Via Bluetooth this has existed for at least 7 years [1] (was mentioned on HN as well). Tesla know (also for 7 years), Musk doesn't care 'since license plates can also be tracked'.I used it in train stations, and get hits when passing highways via train or bus. Esp. fun if you stand still due to traffic lights or traffic jam, since you can try to get a visual.
The only lesson to be learned here is that it allowed one to learn in 2019 Musk is overrated. But you can also learn that lesson from the book The PayPal Wars which predates this by 15 years.
> I believe shopping malls often use such signals (wifi, bluetooth) to track what your travel pattern through the mall is. They know what section of the store you spend most of your time in and what storefronts you stall at.
Not allowed in EU.
by Fnoord
2/16/2026 at 8:45:08 PM
> Not allowed in EU.I'm surprised, I know for a fact that some stores definitely have the ability to do that on their hardware.
by xaldir
2/17/2026 at 1:17:37 AM
Utrecht Central Station does this, there are stickers at the entrance notifying the ‘public’ of this. Or its just a sticker;pby thenthenthen
2/17/2026 at 12:28:17 AM
and i can commit crimes with my kitchen knives, yet they’re still legalby m-s-y
2/17/2026 at 1:59:41 AM
It’s done in Europe’s second busiest airport, Amsterdam Schiphol. I saw the advisory signs (so they can pretend that you gave informed consent by walking out of the jetbrige) up just last week.https://media.licdn.com/dms/image/v2/D4D12AQHCyctOFz_EJg/art...
by sneak
2/16/2026 at 4:57:26 PM
There's an Android app that can find devices, make profiles, and you can track location for as long as they're connected. So you can profile passerbys and even get notified when the profile passes through again. I forgot what is was calledby jasonfrost
2/16/2026 at 7:49:47 PM
Are you thinking of BLE Radar?by RunningDroid
2/16/2026 at 7:20:54 PM
Years ago when BT beacons were newish, I was talking to an AdTechBro that wanted to create the ability from Minority Report where the kiosk recognizes a user, not by eye scans but by recognizing mobile device, so they could offer a personalized whatever. The creepiness wasn't something they eased into. It was pretty much instant.by dylan604
2/16/2026 at 11:11:56 PM
> I believe shopping malls often use such signals (wifi, bluetooth) to track what your travel pattern through the mall is. They know what section of the store you spend most of your time in and what storefronts you stallThey do but most phones rotate the mac adress these days. So while they can still track you through the store (sadly) they don't have the ability to track your recurring visits.
I wish phones had the option to constantly spam broadcasts with random MAC ids. That would make the practice useless.
by wolvoleo
2/16/2026 at 5:55:29 PM
> I believe shopping malls often use such signals (wifi, bluetooth) to track what your travel pattern through the mall is. They know what section of the store you spend most of your time in and what storefronts you stall at.Yes, I remember Cisco had a product like this all the way back in 2011. They could pinpoint a customer to an exact position inside a store using triangulation, they would know which shelf you spent time in front of etc. In the 15 years since then, I expect the technology is much scarier and intrusive.
by tskulbru
2/16/2026 at 8:11:22 PM
iBeacon. They know what shelf you're standing in front of. What products you touch and read.Ever been in an Apple store? Look up. In the dark voids between the edge-to-edge backlit ceiling. There are secrets there. Watching you.
by nofunsir
2/17/2026 at 1:01:55 AM
Not what iBeacon does but an entertainingly dramatic description nonetheless.by astafrig
2/16/2026 at 8:52:33 PM
Macys pioneered it before there even were Apple Stores. Back when most people didn't even know their phones had Bluetooth.by reaperducer
2/16/2026 at 9:48:36 PM
Macy's has Santa clause since 1947 because that is when Miracle on 24th Street came out. And he even knows when you are sleeping.by shafoshaf
2/16/2026 at 7:36:39 PM
> We had a discussion that it would be easy to determine who was passing by at what times due to these especially when you can "de-anonymize" the data for example link it to a numberplate.You could also read the numberplate directly with OpenALPR. It can be finicky to set up a camera to do this reliably in all conditions (particularly at night and high speed) but once done you could detect any car passing, not just ones with wifi access points.
When the law requires us to have numberplates, I think this just has to be considered public information for anyone who is nearby or can leave a camera nearby. It's not ideal to leak it in additional forms that might be easier for people to grab (say, with an ESP32), but it's a matter of degree rather than of kind.
But yeah, I'm with you on some of these others, particularly the medical devices. That's not great.
by scottlamb
2/16/2026 at 8:36:06 PM
There's a difference between public and Public. I go outside with my face visible and I don't mind if my neighbors see me. I do mind if my neighbors stand outside my door with a notepad sketching faces every time they see me or anyone else, especially if they're selling the data. Systematic tracking that isn't subject to the constraints of human memory and apathy fundamentally changes the equation.by AlotOfReading
2/16/2026 at 10:08:33 PM
> Systematic tracking that isn't subject to the constraints of human memory and apathy fundamentally changes the equation.I definitely don't approve of mass collection across many cameras, accessible to who-knows-who with minimal if any privacy controls (Flock). But it wouldn't surprise or bother me if my next-door neighbor had ALPR enabled, as long as it's not part of that cloud. YMMV.
Full disclosure: I develop an open source home/hobbyist-oriented NVR, although it doesn't have an ALPR feature or any other analytics today.
by scottlamb
2/16/2026 at 9:05:37 PM
> constraints of human memory and apathyi like that a lot, brother, thank you!
by thedrexster
2/16/2026 at 4:40:23 PM
I disable bluetooth on my phone, though periodically I find that it's back on.Edit: iOS
by SoftTalker
2/16/2026 at 5:02:08 PM
I have the opposite experience: GrapheneOS has an option to automatically turn your bluetooth off after a configurable period of not being used. So when I need to use bluetooth, I turn it on like normal. Then, without thinking about it, it automatically turns off. The end result is my bluetooth is only ever on for a couple hours each month when I'm making phone calls.by craftkiller
2/17/2026 at 2:36:36 AM
Your problem is that you chose an OS that respects you and treats you with dignity.by 9991
2/16/2026 at 8:00:47 PM
I only see an option to turn back on tomorrow. How do you find this option?by rationalist
2/16/2026 at 11:09:13 PM
It's under Settings > Security and Privacy > Exploit Protection > Turn off bluetooth automaticallyDefinitely not the most obvious location. I would have expected to find this under the bluetooth settings.
by craftkiller
2/17/2026 at 3:50:31 AM
Awesome, thank you.I don't recall that being there when I first installed GrapheneOS. I need to go through the settings more often I guess.
It might be a cool feature if settings were highlighted or had a red dot or something until it was viewed (like an unread notification).
by rationalist
2/16/2026 at 6:58:24 PM
Did not realize I could do that! Thank you!by littlecorner
2/16/2026 at 11:12:32 PM
I used to fervently keep my bluetooth off on iOS, and I learned that if you turn it off via the Control Center, then it automatically gets turned back on the next day. But if you turn it off via Settings, then it only gets turned back on when the system software updates. (I stopped doing this a couple iOS versions ago, though, so it may have changed since then.)by joemi
2/17/2026 at 12:12:33 AM
Bluetooth (and wifi) aren't turned off at all through the Control Center - they changed the wording to say "disconnected", meaning that your phone only disconnects from known devices. But both are still turned on for other purposes such as CarPlay, Handoff, and Location Services (via wifi). For the purposes of this discussion, they are potentially still transmitting a known identifier.Apple reconnects to known devices and networks at 5am:
https://support.apple.com/en-us/102412
Bluetooth and Wi-Fi Aren't Fully Disabled When Off in iOS 11 Control Center
https://news.ycombinator.com/item?id=15297387 (2017, 143 comments)
by jerlam
2/16/2026 at 7:22:16 PM
I miss wired headphones for this purpose. It's the only reason I even have BT enabled.by dylan604
2/16/2026 at 6:38:36 PM
With iOS the easiest way to make sure it off and stays off is to build a shortcut to cut off wifi/bluetooth. Otherwise it's typically off until you get geolocated as being back home/work and wifi comes back on.I have a "store mode" button that just kills wifi/bt that I hit before I go into any store.
by officeplant
2/16/2026 at 8:49:56 PM
what do you gain doing this?by mcosta
2/16/2026 at 9:15:26 PM
Peace of mind that I'm not being tracked around the store by wifi/bt, and/or having my device fingerprinted for further identification on future visits.by officeplant
2/16/2026 at 5:40:44 PM
Android now has an option to enable it every day.. (I have it disabled).by silon42
2/16/2026 at 11:14:39 PM
Sure, stores use WiFi access points and BT to track MAC addresses and BT device IDs. Google does something similar with location and it provides in real time how busy a location is which I find super convenient. It’s a shame that shaping data into useful information also means it can weaponized.by voidmain0001
2/16/2026 at 7:46:23 PM
The GrapheneOS variant of Android will disable both Bluetooth and WiFi after a set period of inactivity.There is also a Bluetooth shutoff app on F-Droid.
https://f-droid.org/en/packages/com.mystro256.autooffbluetoo...
I have also put an Airtag clone in my car (Loshall in iOS mode). That is probably leaking my arrival times. My water meter is also now bluetooth.
by chasil
2/16/2026 at 5:26:47 PM
> I believe shopping malls often use such signals (wifi, bluetooth) to track what your travel pattern through the mall is.Many places do this. The department stores in the mall, target, even grocery stores do it.
by autoexec
2/16/2026 at 4:11:45 PM
> even medical devices constantly broadcast their presenceI mean yes, said medical devices are a whole lot less useful to me if they are not transmitting data. For some of this stuff you can't have your cake and eat it too.
by pixl97
2/16/2026 at 4:40:13 PM
I was wardriving my neighborhood and realized my elderly neighbor's CPAP machine is broadcasting some type of BT signal 24/7. I imagine it's transmitting some important stats, but it did make me have a 2nd thought about medical devices being IoT or BT enabled.by 0x1ch
2/16/2026 at 11:28:53 PM
Yeah I always keep my cpap on airplane mode. It even had 5G. The therapist complains they can't monitor it but I have to come in with the machine and SD card every few months so they can check it then. They don't need 24/7 access.What bothers me more is that my sex toys broadcast on Bluetooth even when I'm using them through WiFi. It even says the brand in the device name.
Not that I give a fuck what the neighbours think but it's just none of their business. And some toys are for discreet outdoor use too. Though that's not my thing.
In the past I renamed one of my phones to "Lovense Hush" to troll, though I've never seen anyone looking suspiciously. I guess most people aren't creeps like me who check stuff like that :)
by wolvoleo
2/16/2026 at 6:12:31 PM
> being IoT or BT enabledPlease don’t conflate these two. I have lots of BLE wearables and other sensors. They only send data to my own computer which I control, unlike IoT devices which by definition send to a third party on the Internet. To me it is far more important to protect against strangers on the Internet versus someone wardriving the neighborhood.
On a related note, did you know that EU has a Radio Equipment Directive (RED 2014/53/EU) that came into effect in 2025. It all but guarantees that such Bluetooth communication will be encrypted.
by kccqzy
2/16/2026 at 10:18:43 PM
> I have lots of BLE wearables and other sensors. They only send data to my own computer which I controlThat's perhaps technically correct, but a naive interpretation of the risk. I don't need to see the data your BLE devices are sending you, all I need is traffic analysis and meta data from the signals they are broadcasting - and they broadcast that to anyone within detection range which includes attackers with much higher gain antennas than you who can likely pick up those broadcasts at ten times the distance any of your devices will communicate at.
"Flying helicopters low and slow over the Tucson desert in Arizona, the FBI has been using "signal sniffers" to try to locate Nancy Guthrie's pacemaker.
As the search for the 84-year-old mother of US Today show anchor Savannah Guthrie entered its third week, investigators took to the sky with advanced bluetooth technology.
They were hoping to pick up signals emitted from the device implanted in Ms Guthrie's chest to help trace her whereabouts, US media outlets NewsNation and Fox News reported."
https://www.abc.net.au/news/2026-02-16/nancy-guthrie-pacemak...
by bigiain
2/16/2026 at 4:32:26 PM
There’s a middle ground here. There is no technical reason a pacemaker constantly broadcasts itself - there is ways to allow communication to such devices without yelling your name all the time. And there is definitely no reason for such a name to be a unique identifier.by xanrah
2/17/2026 at 2:50:44 AM
That middle ground has been eroded by cost-cutting.Example: my mother had a cardic resynchronization device, and it had some kind of NFC type thing to enable the full wireless comms mode: wave a wand over her shoulder and the device's radio wakes up for a set time to send data or receive adjustments. So it wasn't always transmitting, but it did require the doctor's office or hospital to have that NFC wand to initiate any kind of data aquisition or reconfiguration. If it has an always-on BLE radio, the provider would just needs the phone/tablet/laptop with appropriate software that is already required.
Since any device like is already going to have a radio equivalent to a BLE radio, then removing the NFC parts from the device (and especially from the provider side) is some amount of cost savings. I think most patients would disagree that this privacy trade-off is NOT worth it, but you have remember that the patients aren't usually the actual customers in the US health care system. (And most manufacturers are going to have the US market as a target at least somewhat.) The most common actual customer is actually the insurance companies, and they'll take every single fraction of a penny, along with "an arm and a leg".
by just6979
2/16/2026 at 10:55:15 PM
There are technical reasons, though.Let's suppose we have a pacemaker, and it has data that is beneficial to read -- maybe even in real-time on their pocket computer, or opportunistically as the patient walks by their reader-device, or however that is done.
So we want this data, and we want it over RF. It probably seems obvious that it should only transmit when it is told to do so, right?
So how do we tell the pacemaker to transmit? On its face, that problem seems solved by integrating a receiver that sits and waits for a valid instruction.
Except: That receiver takes power to run. And since changing batteries inside of a person is problematic, we want them to last as long as they can while still performing the desired task.
Now we get to the not-obvious part: In terms of power, it's often less costly to intermittently transmit a string of data than to continuously operate a radio receiver. And maybe it's a bad idea to have an implanted pacemaker that has an open receiver for anything nearby to try to fuck with, anyway.
But a transmit-only radio? Good luck hacking that.
So... we do intermittent transmission, and this works for pacemakers. It also works for the cheap Zigbee thermometer I have (wherein I don't normally request the temperature; it just delivers it periodically, and it runs for years and years on a coin cell).
(Now: Should that pacemaker data be encrypted? Yes, of course. And so should the ID. In fact, the whole transmission should be indistinguishable from background noise by unrelated devices. In this way, authorized devices can then use pre-shared keys to receive and decode these messages and others receive nothing. That kind of cuts BLE and thus also the pocket computer out of the monitoring mix, but tradeoffs are tradeoffs.)
by ssl-3
2/16/2026 at 5:24:21 PM
I mean if not a name, how would a mac id be any different?by pixl97
2/16/2026 at 5:29:41 PM
What forces devices to constantly stream data? You can batch updates and probably save power thanks to it.by dietr1ch
2/16/2026 at 6:22:39 PM
Because these BLE devices are so cheap that they don’t have storage. And BLE transmission is already very power efficient: the power consumption of BLE is probably the same order of magnitude as powering flash storage.by kccqzy