When you use a BT speaker with your phone, the phone is the initiator of the signal i.e. you're playing an app on your phone, and the speaker is just a 'dumb' output device. And there are no real security concerns in this instance. On your phone, you select "this is the BT speaker I want to connect to" and the speaker doesn't care/need to know what's connecting to it, it just plays sounds. The security is "the user chose this BT speaker as output device". Done.
A BT keyboard involves an inherently opposite type of connection. In this case, in regular use, the KB is the initiator of information flow (your keystrokes) and your phone is the recipient. And in this situation, the security implications are huge, because the keyboard you connect has the ability to control your phone.
This means there *must* be an authorization step that takes place on your phone, i.e. the phone must prompt you "oh, hey, there's a device attempting to connect TO your phone, one that will have the ability to *control* your phone. Do you authorize this incoming connection?".
Which is in turn why the KB must initiate the "handshake". You don't want your phone sitting there polling the outside world essentially signaling, "Oh, hey, are there any keyboards out there that want to control me?" and once one of them says "yeah, sign me up, I'll control you!" the phone goes "cool, you're good to go!" because that KB might not actually be yours.
But that IS how a BT speaker can operate, iow it can broadcast to the world "Oh, hey, I'm here, does anyone want to control me" and then simply accept connections, with no security implications.
Make sense?
= new reply since forum marked as read
