Bluetooth hacked?

[Lolas Dad]

I have a JBL SB400 sound bar with wireless sub woofer hooked up to my TV. It also has Bluetooth and I can play my music from my phone to the speaker. In order for me to do that I have to set the speaker in blue tooth mode with the speaker turned on first.

A few weeks ago I had the speaker shut off and the TV shut off. In the very early hours of the morning the speaker came on and was blasting hip hop/rap music. I quickly got up and shut it off. About two nights later the same thing happened. I do not have any hip hop/rap music on my phone or even on a CD. I'm thinking someone else hacked into it some how and would like to know how they did it. By someone doing this they can say I was playing loud music in the middle of the night when they were actually the ones that were doing it by hacking into the speaker. Lately I had just unplugged the power cord from the speaker so that they cant do it again but I should not have to do that all the time when I am not using the speaker.

 

[Mikestony]

Try to unpair it, then pair it again with your device:


From the manual:

To disconnect the Bluetooth device, press and hold the soundbar’s
Bluetooth button until the LED begins flashing. To pair the soundbar
with a different Bluetooth-enabled device, repeat Steps 1 – 3 with the
new device.

Perhaps that may help?

 

[Lolas Dad]

I could unpair it with my phone and pair it again but three things, the speaker was shut off but still plugged in at the time and the second thing is the Bluetooth was not even enabled on my phone at the time. Finally the third thing is I do not have any hip hop or rap music on my phone. I won't even listen to that type of music.

Whenever I am not using Bluetooth I disable the Bluetooth on my phone.

 

[Mikestony]

That is bizzare

Have you tried contacting JBL or perhaps Crutchfield (I see they sell it) about this issue?

I'm not sure this is Android related anymore ya know?

 

[Lolas Dad]

ok this is what I did. I first unpaired and disconnected from the blue tooth for the sound bar. I then made sure the TV and speaker was off VIA power switch. Then I went to scan for devices in bluetooth and it found the sound bar even with the power switch shut off. Then I paired and connected the sound bar again, still with the power shut off on the sound bar and then went to my media player on the phone, loaded a song and hit play. The soundbar turned on and started playing the song I loaded.

JBL puts out a good product but since it can be powered on like this and played then it's not that great not being secured. That basically means I can do the same thing to a neighbor who has a bluetooth setup for their sound system or TV. Not cool at all and I would not even consider doing something like that. I guess the best bet is to unplug it when I am not using it.

 

[Mikestony]

Is the speaker always in "discoverable" mode? That shouldn't be you think?

Is there a way, once paired, to shut off the "discoverable mode" on the speaker?

 

[Lolas Dad]

That is bizzare

Have you tried contacting JBL or perhaps Crutchfield (I see they sell it) about this issue?

I'm not sure this is Android related anymore ya know?

It's not an android issue. It is a security issue with the JBL soundbar. I think I will be calling them and letting them know about this flaw. This would allow anyone to turn on speakers in someones home that does not need a code for pairing and blasting music or other garbage to wake them up in the middle of the night. the JBL SB400 sound bar system does not require a code. This should be changed to where it does require a code and the code should be changeable by the user. This will solve the problem.

It is so simple to do it is stupid.

 

[Mikestony]

I was reading thru the owners manual here:
https://a248.e.akamai.net/pix.crutchfield.com/Manuals/109/109SB400.PDF

and I am not seeing some sort of on/off switch for bluetooth....perhaps on page 6?

 

[Lolas Dad]

Is the speaker always in "discoverable" mode? That shouldn't be you think?

Is there a way, once paired, to shut off the "discoverable mode" on the speaker?

No. Once plugged in they are always discoverable even if they are on or off. How stupid is that?

 

[Lolas Dad]

I was reading thru the owners manual here:
https://a248.e.akamai.net/pix.crutchfield.com/Manuals/109/109SB400.PDF

and I am not seeing some sort of on/off switch for bluetooth....perhaps on page 6?

The switch that you are seeing is the switch for pairing the subwoofer to the speaker, not for pairing anything else. in the manual it also says if your not going to be home or using the system for a long period of time to shut the power switch off on the subwoofer. I did just that and then was still able to turn the speaker on by just hitting play on the media player on my phone. The speaker came on and started playing the song I selected although not coming through the subwoofer because it is turned off.

No security at all with the JBL SB400.

 

[Mikestony]

The switch that you are seeing is the switch for pairing the subwoofer to the speaker, not for pairing anything else. in the manual it also says if your not going to be home or using the system for a long period of time to shut the power switch off on the subwoofer. I did just that and then was still able to turn the speaker on by just hitting play on the media player on my phone. The speaker came on and started playing the song I selected although not coming through the subwoofer because it is turned off.

No security at all with the JBL SB400.

Gotcha...so on page 7 are the instructions to pair the speaker with your device (phone) correct?

If so, then on step 3, when the blue light is steady, would indicate to me that it will not pair with any other device....did I read that right? Or assume that is correct?

 

[Lolas Dad]

Gotcha...so on page 7 are the instructions to pair the speaker with your device (phone) correct?

If so, then on step 3, when the blue light is steady, would indicate to me that it will not pair with any other device....did I read that right? Or assume that is correct?

I was able to unpair and disconnect the SB400 from the phone. have it disappear from the bluetooth device list in the phone and then pair it up and connect again all without even touching that bluetooth button on the sound barand with the soundbar power switch off but plugged into the AC outlet. That button that you are talking bout is for pairing the subwoofer. When the light is flashing it is looking to be paired with the subwoofer, you then hit the pairing button on the subwoofer itself and it pairs the speaker to the subwoofer. The light on the speaker then becomes steady non flashing.

 

[Mikestony]

This is what I read on how to pair it with your device:

BLUETOOTH OPERATION
To wirelessly stream audio to the soundbar from a Bluetooth-enabled
device:
1. Confirm that the soundbar is in the Bluetooth pairing mode (the
Bluetooth button LED will be flashing blue). If the LED is not flashing
blue, press and hold the Bluetooth button until its LED begins to
flash blue.

2. Place the device in the pairing mode. Use the device’s Bluetooth
pairing menu to pair it with the soundbar. (The soundbar will appear
as “SB400” in the device’s menu.) If the device requires a passcode,
use 0000.

3. When the soundbar’s Bluetooth button LED illuminates constantly,
it is paired with the device and you can stream audio via Bluetooth
from the device to the soundbar.
To listen to audio from the Bluetooth device, press the Source button
repeatedly until the Bluetooth Source Indicator LED illuminates

This is how I read it to pair the subwoofer to the soundbar:

PAIRING THE UNITS FOR WIRELESS OPERATION
After turning the soundbar and subwoofer on for the first time, you will
need to “pair” the subwoofer and soundbar so they both operate at the
same wireless frequency. To pair the units, press the Wireless Pairing
switches on both units within 30 seconds of each other. The units will
communicate with each other and operate at the same frequency.

I'm not trying to be argumentative, just making sure that I read your last post correctly and that we are on the same page

 

[9to5cynic]

Do you have a neighbor that lives within say.... 100 meters of your speaker? I'm guessing yes.

I'd say you have a neighbor playing tag with your bluetooth device. Pairing their device to yours. They probably saw it was a JBL speaker, googled "JBL bluetooth passkey" and entered 0000 on their device. Connection complete.

You could try a few things. Look around at night (when this happens) with an app that does bluedriving (think wardriving for bluetooth devices)... I use wigle bluetooth ... and look for active devices. One of these may be your new friend. The thing you're looking for is their bluetooth device's hardware address. It'll be in hex.

Maybe xkcd can be of some inspiration to you in this situation.

They tagged you first, it'd be rude to stop playing the game they started.
:rofl: But really, all that you'll likely gain from getting the hardware address is a pointer as to who is behind this prank.
--
Hmm... but this seems to be a problem with other bluetooth speakers as well, they default into pairing mode. I can't really think of any solutions that aren't passive aggressive. :/

 

[Lolas Dad]

This is what I read on how to pair it with your device:




This is how I read it to pair the subwoofer to the soundbar:



I'm not trying to be argumentative, just making sure that I read your last post correctly and that we are on the same page

As I said earlier in my posts I can discover the SB 400 with just it being plugged into the AC outlet. I can then pair and connect the phone to the speakers all without touching any buttons on the speaker bar. It does not matter to me what the manual says because what it says and how they are connected and paired are two entirely different scenarios. I'm not trying to be argumentative here either. Last night I did it five to six times and each and every time the speakers came on by just having it paired and connected VIA bluetooth with the power to the speakers turned off.

 

[Lolas Dad]

Do you have a neighbor that lives within say.... 100 meters of your speaker? I'm guessing yes.

I'd say you have a neighbor playing tag with your bluetooth device. Pairing their device to yours. They probably saw it was a JBL speaker, googled "JBL bluetooth passkey" and entered 0000 on their device. Connection complete.

You could try a few things. Look around at night (when this happens) with an app that does bluedriving (think wardriving for bluetooth devices)... I use wigle bluetooth ... and look for active devices. One of these may be your new friend. The thing you're looking for is their bluetooth device's hardware address. It'll be in hex.

Maybe xkcd can be of some inspiration to you in this situation.

They tagged you first, it'd be rude to stop playing the game they started.
:rofl: But really, all that you'll likely gain from getting the hardware address is a pointer as to who is behind this prank.
--
Hmm... but this seems to be a problem with other bluetooth speakers as well, they default into pairing mode. I can't really think of any solutions that are passive aggressive. :/

Thats the thing a pass code is not even required. All one would have to do is hit scan for devices on their phone. Their phone will then list the SB400 with a headphone symbol and then they pair and connect. They can then play their music through my speakers.

This is kind of like having an unsecured wifi router and allowing anyone and every one access. You would think their would be some kind of standards with the bluetooth speakers but I guess there is none.

 

[9to5cynic]

Yeah, I can't really think of anything that would help in this situation. Seems like a poor implementation by the manufacturer.

The only thing I would recommend would be to post a review to a site like amazon and maybe a forum post at the site for the manufacturer. I got a decent-ish response from Logitech in the past. ymmv

 

[JohnV323]

LD,

I have my SB400 set up like you do and the very same thing happened to me last night: early am, rap music originating from elsewhere blasting me out of bed! I unplugged the SB400 and then found your thread this morning, read it, and here's the best solution I could come up with:

The SB400 can indeed always be paired via bluetooth (is "discoverable"), even in standby mode, as you've mentioned. It cannot however pair with something (or be "discoverable" on another device) when it already has a connection established (even when the soundbar goes into standby mode with the amber power indicator lit). What I did, while not ideal, is pair the SB400 with a tablet that lives in my kitchen so no one can hijack the SB400 when I'm not using it with the TV. In your case, you could just leave your phone connected to the SB400 via bluetooth so no one can hijack yours. The bluetooth connection to the SB400 persists despite which source you have selected on the SB400 or it going into standby mode. With this setup, your TV can use the soundbar and then when you want to queue up some music with your phone you need only switch the source on the SB400. From a "stand by" state, whatever the active source is will "wake up" the sound bar.

Even if you don't find my solution helpful, I found your thread helpful in figuring out what was going on when I too was surprised by loud music I wasn't expecting late at night.

-John

I have a JBL SB400 sound bar with wireless sub woofer hooked up to my TV. It also has Bluetooth and I can play my music from my phone to the speaker. In order for me to do that I have to set the speaker in blue tooth mode with the speaker turned on first.

A few weeks ago I had the speaker shut off and the TV shut off. In the very early hours of the morning the speaker came on and was blasting hip hop/rap music. I quickly got up and shut it off. About two nights later the same thing happened. I do not have any hip hop/rap music on my phone or even on a CD. I'm thinking someone else hacked into it some how and would like to know how they did it. By someone doing this they can say I was playing loud music in the middle of the night when they were actually the ones that were doing it by hacking into the speaker. Lately I had just unplugged the power cord from the speaker so that they cant do it again but I should not have to do that all the time when I am not using the speaker.

 

[Frayonce]

Good morning!

While I'm not an Android user, this exact thing (TV and soundbar off; my phone Blutooth off; and music begins blaring from nowhere) happened to me last night, but with my Samsung soundbar, that does not require a password. However, on my soundbar remote there's a button called, "Bluetooth Power", which when "on" and Blutooth enabled on my iPhone, lets me select the soundbar to connect to (from my phone), and it turns the device on.

What concerns me most is that the manual states the device has to have been previously paired for that feature to work. I live in an apt bldg and it leads me to think/believe that a maintenance person (that also lives in my bldg perhaps) has paired to my device while they're in here "working".

Needless to say, I disabled the "Blutooth Power" function, but I'm looking into ways to shut it all down from happening; if possible.