I'm using Windows and only asking here because Google says it's a Linux thing, but my question is what is a Bluez and why was it trying to connect to my computer at 5AM this morning?

  • tunawasherepoo@iusearchlinux.fyi
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    This does sound very unusual that it would try to connect, so I wanted to add more context about how bluetooth works, which might help figure out where to look next or if you should look into it at all

    In bluetooth there is the idea of a central device and peripheral device. Peripheral devices advertise of their existence in hopes that a central device establishes a connection. The central device always has the final say. For example, a phone (central device) connecting to bluetooth headphones (peripheral device).

    Your computer should really only act as a central device. So you get to choose which devices are allowed to connect … but there are two exceptions:

    • a device can auto-connect to a previously paired device. Maybe you accidentally paired with the Linux device, or thought it was another device. You can unpair / forget the device if you did.
    • special software which auto-connects to devices. For example the nintendo switch auto-connects to controllers when the "change grip/order" menu is open. I think this would be very unusual, even for malware.

    Technically, the bluetooth spec does allow bluetooth devices to be a central and peripheral at the same time. In theory if Windows is advertising itself as a peripheral, then the Linux device could connect as a central. The issue is, I don't know if or when Windows is sending these bluetooth advertising packets. Maybe when bluetooth settings are open or if you have a wifi hotspot enabled?

    Also, not all devices support running both modes at the same time, so you can rule it out if the device can't be a peripheral. According to this guide, this is how you check that: https://www.howto-connect.com/see-if-windows-10-pc-supports-bluetooth-low-energy-peripheral-role/

    If it just appeared in the connectable device list, then there is nothing to worry about really, bluetooth has some range to it, and it could just be a neighbor's device.

    • JokeDeity@lemm.eeOP
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Great point that I hadn't even considered, why was it initiating the connection? That actually just made me all the more confused and paranoid about the whole thing. I use a Bluetooth dongle, but I figured it was acting as a central device as expected.

      • tunawasherepoo@iusearchlinux.fyi
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        I think i'm still confused on how you came to know the device was trying to connect to you :D Was there a Windows notification? Did it ask you to enter or confirm a code? Were you using bluetooth in general at the time?

        I guess my main proposal is that central device can't begin to initiate to another central device. In the discovery phase, a central device is like an ear, and a peripheral device is like a mouth. Ears can't speak to other ears, and mouths can't listen to other mouths. Mouths don't know if ears are even there to listen, only the ears can initiate a connection.

        In most cases Windows is like an ear. Neither a central nor peripheral can initiate a connection to you. Only you can initiate a connection to some other peripheral.

        However Windows can act like a mouth under specific circumstances, specifically I found that you can use your computer as a hotspot and share over bluetooth. Sharing over bluetooth means Windows opens its bluetooth mouth to tell anyone willing to listen that it is connectable. So if you were doing something bluetooth related at the time it could have allowed a foreign (central) device to initiate a connection

        • JokeDeity@lemm.eeOP
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          It's funny, everyone keeps asking the same things so I have to keep typing the same information in this thread. 😅

          It came up as a Windows notification center popup in the bottom right corner of the screen saying it was trying to connect or something like that, but when I clicked on it, it came up with a different window offering me yes or no, I clicked no, then it came up in the bottom right corner again starting the loop over, I clicked no several times before opening the connected devices app and disabling Bluetooth completely. This all happened in about 60 seconds as I saw it when grabbing my keys to leave for work at 5am, no one else was awake and I wasn't interacting with ANY devices or my computer at all beforehand.

          • tunawasherepoo@iusearchlinux.fyi
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            1 year ago

            Sorry 😅 I probably could have taken a closer look at other comments, but in any case this paints a nice picture for me, thank you :)

            Edit: Actually I decided to boot into Windows and test this a little myself, and turns out when bluetooth is on it is discoverable (Windows is a peripheral, the BlueZ device is a central wanting to connect). When i connected from my phone to my computer, It seemed more accurate to what you described too. If you dont use bluetooth disable it, or make your device not discoverable. 😅

            It does help to know it was a notification and to know what was in it. I was able to find an image which looked similar and led me to find a Windows feature called Swift Pair. It lets you connect to a bluetooth device via notification, rather than in the settings. You can try disabling Swift Pair if it is enabled.

            Here is my conclusion:

            As others said, BlueZ is essentially the program that allows bluetooth to run on Linux. The name alone doesn't tell you if the person behind has malicious intent.

            It's possible that somebody was making a swift pair compatible device using Linux. Maybe they thought 5AM was early enough that the swift pair notification would only show up on their computer since they wouldn't be able to prevent other people from seeing it otherwise 🤷

            It could also just be some device rebroadcasting itself on a clock. I'm not sure why or what you would do with this other than to annoy people?

            If you especially don't trust your neighbors and want to imagine a worst case scenario, it could be spoofing something like a bluetooth keyboard, rebroadcasting until someone connects, and runs a series of shortcuts / commands to infect your computer to replicate the virus further. ((Issue is, it doesn't make sense they'd develop on Linux with BlueZ even though the virus could only propagate on Windows. Kinda fun to think about regardless though))

            I hope that answers your question :)

            • JokeDeity@lemm.eeOP
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              I'll still never probably fully know what happened, but that was a great reply and I appreciate all your help. Luckily my direct neighbors on both sides are old AF and I trust them to not be doing anything like this because they wouldn't even know what any of it means, but the sketchy businesses behind us that include a liquor store, vape shop and sex shop among others I can't say I trust as much. I'm glad Windows was kind enough to ask instead of just connecting. 😂