[chasing0entropy]

I remember tinkering with crafted Bluetooth requests to make a Nokia 8290 zero click dial a toll number. It's surprising how unprotected from a security perspective, the bt stack is.

1. If the bt radio is powered, it is possible to find and identify it even with it's beacon turned off.

2. With the advent of BLE there is no doubt about #1.

3. Both BT and Cell chipsets contain dozens of undocumented vendor specific and ubiquitous but underdocumented modem commands.

You can STILL use Bluetooth pairing spam to force an adversary to either be ddossed by pairing requests or approve pairing. Then use voice activation hooks to open voice typing and take a transcribed stream from an ostensible keyboard input.