The Threat Inside the Hearing Aid

May 2026  |  Wireless Security and IC Policy

How Bluetooth 5, ICD 124, and Satellite Connectivity Are Rewriting the SCIF Security Threat Model

A senior analyst walks into a Sensitive Compartmented Information Facility. She has worked there for eleven years. She wears a hearing aid listed on her employer’s Approved Medical Device Product List and approved for use under ICD 124, the Intelligence Community’s directive governing electronic medical devices in classified environments. The approval is on file. The paperwork is in order. The device has entered the building every day for the past three years.

What the paperwork does not tell you: rarely does the organization have a mechanism to verify that the device is silent. Not at the moment it entered. Not during the briefing. Not when it left. The hearing aid may be transmitting. It may be paired to another unauthorized device. It may have been upgraded since its approval in ways that changed its wireless behavior. Without continuous RF monitoring, none of those questions has an answer. The paperwork says the device was assessed. It says nothing about what the device is doing right now.

This is not a hypothetical. It is the threat environment that exists right now in grandfathered SCIFs and SAPFs across the Intelligence Community and the Defense Industrial Base.

Bluetooth Was Supposed to Stay in the Building

When Bluetooth first appeared in consumer devices, it had a range of roughly 33 feet and, in practice, often failed at eight. The assumption built into early SCIF security models was simple: even if a Bluetooth device made it inside, the signal would not carry far enough to matter. That assumption is dead.

Bluetooth 4 introduced Bluetooth Low Energy (BLE), extending practical range to 330 feet. Researchers quickly demonstrated 900 feet using a directional antenna, and that demonstration revealed something important: the threat equation was never about the transmitting device. The person inside the building has a $50 consumer device operating at a fixed, low power. The person outside chooses their receiver. At the time of that demonstration, $20,000 in professional antenna equipment extended a $50 device’s effective collection range by a factor of three. That asymmetry has only grown.

Bluetooth 5, released in December 2016, increased the maximum permitted transmit power for BLE devices, directly extending the transmitting range for the first time. Before Bluetooth 5, security researchers had already demonstrated multi-mile collection ranges against Bluetooth 4 transmissions using Yagi and other high-gain directional antennas. Bluetooth 5 extends that advantage further.

That range increase directly matters for the device class that ICD 124 authorizes for use inside SCIFs, but the threat does not depend on kilometer-scale transmission. The core problem is simpler: without continuous monitoring, nobody knows the device is transmitting at all. Hearing aids are low-power devices, operating at approximately +4 dBm, with an official range specification of 10 meters. In practice, these devices can be observed at 50 to 100 meters in line of sight, and Bluetooth 5 link budget calculations indicate a theoretical maximum of approximately 240 meters. A high-gain directional receiver pushes that further still. Distance matters. Detection matters more.

Two factors compound the risk beyond the standard specification. First, Bluetooth 5 made higher transmit power levels available in the specification. A standard hearing aid is typically limited to low power due to its battery power. A purpose-built device masquerading as an approved hearing aid, or a device with maliciously modified firmware, could operate at higher power, up to +20 dBm versus +4 dBm, increasing observable range dramatically and exhibiting exactly the behavioral anomaly a WIDS system would detect. Second, approved devices can change their wireless behavior through firmware upgrades after their initial approval. A hearing aid approved under one Bluetooth version can be upgraded to a later version that increases its range or capabilities, potentially without triggering a new ICD 124 review. One manufacturer released a firmware upgrade that doubled a hearing aid’s Bluetooth range from 30 feet to 60 feet. The approval was current. The device’s threat profile was not.

In 2024, Hubble Network took the receiver asymmetry to its logical conclusion: a BLE-class chip transmitting to a satellite in low Earth orbit 600 kilometers overhead. Critically, the hardware on the Bluetooth device side is off-the-shelf. The modification is software only. The demonstration required optimized firmware on the device side and a high-gain antenna on the satellite. Transmissions were one-way micro-packets timed to satellite position. The Hubble system already works with standard Bluetooth chips, and they are working toward support for devices at even lower power levels. What Hubble established is that the path from consumer device to satellite-compatible transmitter is a firmware update, not a hardware swap.

1,300 Vulnerabilities and the Patching Reality

The Bluetooth specification is over 3,800 pages long. The NIST CVE database contains over 1,300 documented Bluetooth vulnerabilities. The patching reality is more complex than a single number suggests.

Reputable manufacturers do issue patches, but the process has real limits. Patches typically require a companion smartphone app, which means the app must be installed, the user must run the update, and the manufacturer must continue supporting the device. In practice, only the most recent models from larger brands consistently receive patches. Generic and lower-cost devices, precisely those most likely to have weak security to begin with, are frequently never patched. Older devices from reputable manufacturers are often quietly dropped from support. Phones sometimes compensate for unpatched peripheral devices through their own security updates, but this cannot be relied upon across the range of device configurations found in a cleared facility environment.

In December 2025, researchers disclosed CVE-2025-20700 through CVE-2025-20702, affecting headphones from Sony, Marshall, JBL, Jabra, and Bose. An attacker within Bluetooth range could connect without authentication, extract cryptographic link keys, and silently impersonate the trusted device. Vendor patching remained inconsistent six months after disclosure.

Bluetooth’s backward compatibility creates a structural challenge that patching alone cannot resolve. Each successive Bluetooth specification builds on the previous version, adding capabilities while attempting to address known vulnerabilities through specification errata and updated certification tests. The Bluetooth SIG does issue errata and updates those tests regularly. The KNOB attack short-key-length vulnerability, for example, was addressed through a specification erratum and updated certification requirements before being formally written out in Bluetooth 5.2. But this is a deliberate balancing act: fully eliminating a vulnerability sometimes requires breaking compatibility with older devices, which a global ecosystem of billions of devices resists. The result is that some vulnerabilities persist in partially-patched form. CVE-2023-24023 (BLUFFS) is a prime example: a session key vulnerability affecting Bluetooth Classic versions 4.2 through 5.4 that forces short key lengths and enables live traffic injection. It has been partially addressed by some vendors and in certification testing. It has not been eliminated. Uncertified devices, which are not subject to certification test updates at all, present a separate and largely unaddressed exposure.

This is not a problem trending toward resolution. It is a growing attack surface. Each new CVE adds to the library of available techniques. Each patch changes device behavior, firmware state, and potentially device settings in ways that may not be reviewed under the original ICD 124 approval. Update mechanisms themselves become potential attack vectors: a device that accepts firmware updates over Bluetooth has an authenticated channel that a determined insider or near-peer actor may attempt to exploit. The result is that the threat profile of an approved device is not fixed at the moment of approval. It evolves with every vulnerability disclosure and every patch cycle, in directions that no point-in-time approval process can anticipate. Without continuous monitoring, those changes are invisible.

ICD 124: The Authorization That Created a Verification Gap

In April 2024, the Director of National Intelligence issued ICD 124, directing IC elements to make every reasonable effort to permit the use of approved electronic medical devices within SCIFs and SAPFs. Hearing aids, cochlear implants, glucose monitors, insulin pumps, and prosthetic limbs with electronic control systems are among the devices covered. The policy reflects a genuine equity concern: cleared personnel with medical needs should not be forced to choose between their health and their ability to serve.

ICD 124 requires IC elements to assess the RF transmission capabilities of each approved device and determine appropriate mitigations. The device may be present. Its wireless transmission capability must be mitigated.

The gap the directive does not address: there is no verification of the device at any point, before, during, or after entry. A security officer at the perimeter can ask a cleared employee whether they have approval to bring a medical device into the facility. If the employee produces an approval letter, there is nothing more the officer can do. The letter confirms that someone assessed a device at some point. It does not confirm that the device in the employee’s possession is the same as the one described in the letter. It does not confirm that the device is running the assessed firmware version. It does not confirm the device’s current configuration matches its approved configuration. It does not confirm that the device has not been modified or substituted since the assessment. It does not confirm that the device is silent. Once the employee clears the perimeter with their approval letter, the device is inside the facility with zero ongoing verification of any kind. A firmware update issued after the approval may have re-enabled wireless features, extended transmission range, or introduced protocol capabilities that were not present when the device was assessed. Security has no technical mechanism to detect any of this at the perimeter or at any point thereafter. Only continuous RF monitoring does.

Five risks ICD 124 approval-based controls cannot address:

• Pattern of life: A transmitting device inside a SCIF establishes a presence record without any data exfiltration occurring. What is in the facility, when it arrived, when it left, and how frequently it is present are inferable from device emission patterns alone. This information has counterintelligence value entirely independent of anything the device transmits.
• Silent activation: An approved device may be compliant at the entry point and activated once inside the facility. The approval is point-in-time. The threat is continuous. Without WIDS, there is no mechanism to distinguish between a silent device and an active one.
• Forced pairing and eavesdropping: Research, including WhisperPair, has demonstrated that a microphone-equipped device such as a hearing aid can be forcibly paired by an adversary within Bluetooth range. The legitimate user may notice an unexpected pairing prompt. They may not. A successfully paired hearing aid becomes an active microphone inside the accredited space.
• Device substitution: A near-peer actor can produce a replica that passes visual inspection and presents the same apparent device identity, while carrying collection capabilities the approved device lacks. A device transmitting at a higher power than the approved device, or exhibiting different protocol behavior, produces exactly the behavioral anomaly WIDS detects. Without WIDS, that anomaly is invisible.
• MAC address randomization: Modern BLE devices can change their MAC address every few minutes as a privacy feature. Without protocol behavior analysis and unencrypted metadata correlation, a monitoring system loses device continuity every rotation cycle, making persistent tracking of any individual device across a session impossible.

What a Determined Insider Can Do

A witting insider with an approved medical device quietly re-enabled for Bluetooth transmission has a collection instrument that is present legitimately, authorized by policy, and invisible to any framework relying on periodic inspection. BLE advertisement broadcasts can carry data payloads without pairing or authentication; researchers at the International Institute of Information Technology demonstrated this covert exfiltration channel in published work. For the metadata that matters in a classified environment, program names, personnel identities, and meeting schedules, limited bandwidth is sufficient. A laptop tethered via Bluetooth to a cellular device inside the SCIF creates a network pathway that entirely bypasses every traditional security measure in the building.

What a Near-Peer Adversary Can Do From Outside

The most immediate threat requires no exotic technology. From a vehicle in the parking lot, a coffee shop across the street, or a nearby restaurant, an adversary with a high-quality directional receiver and antenna can fingerprint Bluetooth transmitters, map pattern-of-life data from device emissions, identify known vulnerabilities, and attempt to exploit them. No satellite required. No specialized hardware beyond commercially available equipment. This is the baseline threat that exists today against every unshielded or legacy facility with unmonitored wireless devices.

The satellite dimension extends this to persistent, scalable, and geographically unconstrained collection. China has publicly committed to large-scale satellite IoT infrastructure at orbital altitudes comparable to Hubble Network’s operational orbit. In November 2025, China’s MIIT launched a two-year commercial trial of satellite IoT services targeting wide-area, low-power device connectivity from LEO. Formal guidelines issued in August 2025 direct large-scale direct-to-device satellite services by 2030. No public source confirms these programs are directed at BLE collection from U.S. facilities. The technology gap between a satellite IoT network and a satellite Bluetooth collection capability is a software and protocol question, not a hardware one.

The question U.S. security policy must answer before that capability matures: what prevents a near-peer adversary from directing an existing or near-term satellite IoT infrastructure toward the Bluetooth Low Energy devices operating inside or adjacent to U.S. classified facilities? A grandfathered SCIF with no continuous wireless monitoring cannot answer that question.

The Policy Gap and What Closes It

ICD 705 requires shielding. ICD 124 requires accommodation. NIST SP 800-53 AC-18 requires organizations to establish usage restrictions for wireless access, including Bluetooth. None of these directives currently requires continuous monitoring to verify that approved devices inside accredited spaces are operating within their approved parameters.

Passive RF-emitter detection, a WIDS deployment monitoring the wireless threat spectrum across the entire accredited space, converts the ICD 124 authorization framework from trust-based to verified. It detects any RF emissions from a device that is required to be silent. It identifies Bluetooth pairing events indicating a prohibited connection, including forced pairings that the device’s legitimate user may not be aware of. It tracks device continuity across MAC address rotation using protocol behavior and unencrypted metadata correlation. It flags behavioral anomalies consistent with device substitution or firmware modification. And it generates the continuous, tamper-evident telemetry record that answers the question no TSCM sweep can: what was that device doing from the moment it entered to the moment it left?

Grandfathered SCIFs built to DCID 6/9 standards have incomplete shielding profiles and are not designed for the wireless threat environment introduced by ICD 124. An approved hearing aid transmitting at Class 2 power may be detectable from well beyond the facility perimeter with commercially available antenna equipment. A compromised device transmitting at Class 1 power extends that exposure dramatically. The NCSC rescission of the 2028 POAM mandate has opened a revision window through PTSEWG. ODNI should use that window to establish WIDS as the continuous verification instrument that makes ICD 124 approvals enforceable rather than assumed.

The hearing aid in the opening scenario does not have to be a threat. But without continuous monitoring, the security officer has no way to know whether it is transmitting, whether it has paired, whether it was upgraded since approval, or whether it is even the device it claims to be. That is not a security posture. It is a hope.

This analysis is based on publicly available information, including the NIST CVE database, ICD 124 (April 26, 2024), NIST SP 800-121, NIST SP 800-53 AC-18, published Bluetooth security research, Hubble Network public disclosures, and Chinese MIIT public guidance. The BLE-to-satellite threat is described as a potential near-peer capability based on publicly reported infrastructure development; no classified assessments are reflected here.