Is Bluetooth a secure protocol?

Question

I constantly get bluetooth patches in Windows 10.

However I see no new features, bluetooth is just bluetooth, how many possible patches do they need to push to reach a mature protocol. There's no UI, there's no innovation, it's all back-end box standard functionality.

The surface of getting things wrong is quite limited, and the protocol still skips so I actually do not see things getting better from these patches.

Can this be interpreted that Bluetooth is full of security vulnerabilities?

Recent example on my PC:

Intel Corporation - Bluetooth - 1/9/2017 12:00:00 AM - 19.40.1702.1059
Intel Corporation - Bluetooth - 11/14/2016 12:00:00 AM - 19.30.1646.853

Answer 1

First I would citate @TeunVink 's pretty comment. I don't have anything to give it to...

There's a difference between the bluetooth protocol and its implementations. You get patches on the bluetooth implementation in Windows 10, that doesn't have to say something anything about how secure the protocol is. It could be that the patch provides security fixes for the implementation, but also additional functionality for specific devices for example.

...except my own findings from a microsoft ex-employee:

Full Disclosure: I worked at M$ from 2014-2015.

MS has some very talented programmers. They're not very common, but they exist. The problem is that the entire company is completely and totally focused on developing an absurd number of new features and products, giving them completely unrealistic deadlines, and then shipping software on those deadlines no matter how half-assed or buggy it is.

The idea is that everything is serviceable over the internet now, so they can just "fix it later", except they never do. This perpetuates a duct-tape culture that refuses to actually fix problems and instead rewards teams that find ways to work around them. The talented programmers are stuck working on code that, at best, has to deal with multiple badly designed frameworks from other teams, or at worst work on code that is simply scrapped. New features are prioritized over all but the most system-critical bugs, and teams are never given any time to actually focus on improving their code. The only improvements that can happen must be snuck in while implementing new features.

As far as M$ is concerned, all code is shit, and the only thing that matters is if it works well enough to be shown at a demo and shipped. Needless to say, I don't work there anymore.

---

Having many patches doesn't surely mean they are all security patches. They can be much probably mainly compatibility and stability improvements.

Microsoft has a strategy that they try to unify their Windows and Windows Mobile development, which means they try to develop both products from the same source tree. It means, improvements to the bluetooth stack of the Windows Phones can also affect the bluetooth also on the desktop OS - they are probably the same source code.

The main security concern behind the Windows Bluetooth implementation are coming most probably from the Windows Phone - on desktop machines, it isn't even turned on most commonly.

Only these reasons I wouldn't say that bluetooth, as protocol would be inherently bad. It is much more probable, that its Windows implementation has more probably compatibility problems (with earlier software / windows versions) and may have also other problems, partially security-related ones.