Walk into any airport terminal, hotel lobby, or coffee shop and glance at your phone. Odds are Wi-Fi and Bluetooth are both on, quietly scanning for networks and devices. You probably toggled them on months ago and never thought about it again. The National Security Agency says that habit is a problem, and it published a formal cybersecurity advisory telling every smartphone owner to do something about it.
The agency’s guidance, titled “Securing Wireless Devices in Public Settings,” delivers a blunt directive: turn off Wi-Fi, Bluetooth, and Near Field Communication (NFC) whenever you are in public and not actively using them. That single step, the NSA argues, shrinks the window of opportunity for anyone within wireless range who wants to track your location, intercept your data, or compromise your device.
What the NSA is actually telling you to do
The core advice is straightforward. A phone that is scanning for familiar Wi-Fi networks or broadcasting a Bluetooth identifier is, in effect, announcing itself to every receiver nearby. Attackers do not need physical access to your device; they just need to be within radio range.
Beyond the headline recommendation, the NSA’s advisory lays out several specific steps:
- Disable automatic connection to previously joined Wi-Fi networks.
- Delete (“forget”) saved networks you no longer use regularly.
- Use cellular data instead of unknown public hotspots whenever possible.
- Turn off Bluetooth discoverability and unpair accessories that are not in regular use.
- Keep NFC off until you need it for a tap-to-pay transaction or similar short-range interaction.
The agency did not limit its advice to a single document. A companion PDF titled “Limiting Location Data Exposure” warns that wireless signals can reveal your physical position even when your phone’s location services appear to be off. A third sheet, “Mobile Device Best Practices,” extends the guidance to habits like rebooting your phone once a week, installing software updates promptly, and avoiding public USB charging stations. Together, the three publications form a layered defense strategy aimed at ordinary consumers, not just government employees or intelligence professionals.
The tradeoffs are real. Turning off Bluetooth means your wireless earbuds, smartwatch, and hands-free car system go silent until you flip the toggle back on. Disabling Wi-Fi pushes all traffic to your cellular plan, which may be slower in congested areas and counts against your data cap. The NSA does not pretend those costs are trivial, but it treats them as acceptable compared to the risk of operating open radios in a crowded, uncontrolled environment.
The documented risks behind the warning
The NSA’s guidance is backed by years of independent technical analysis. The National Institute of Standards and Technology (NIST) has cataloged Bluetooth-specific threats in Special Publication 800-121, which details risks including unauthorized pairing attempts, device discoverability exploits, protocol-level weaknesses, and misconfiguration errors. These are not hypothetical scenarios. Real-world attacks have demonstrated what the documents describe.
In 2017, security researchers at Armis disclosed a set of Bluetooth vulnerabilities collectively called BlueBorne, which could allow an attacker to take control of a device without any action from the user, no pairing request, no link to tap. The device simply had to have Bluetooth turned on. Billions of phones, tablets, and computers across iOS, Android, Windows, and Linux were affected before patches rolled out. Two years later, researchers revealed the KNOB (Key Negotiation of Bluetooth) attack, which exploited a flaw in the Bluetooth standard itself to weaken encryption between paired devices, potentially exposing calls and data transfers to eavesdropping.
Public Wi-Fi carries a parallel set of problems. Open or poorly encrypted hotspots expose users to eavesdropping, session hijacking, and rogue access points that mimic legitimate networks. A traveler who connects to an airport network with a generic name has no reliable way to confirm who operates it. Attackers can capture unencrypted traffic, attempt man-in-the-middle interceptions on encrypted sessions, and use captive portal pages to deliver malware or harvest credentials. Even networks protected by a shared passphrase offer limited safety when dozens of strangers are connected to the same access point.
The privacy dimension is just as serious. A New York Times investigation documented how location data generated by phones, including signals from Wi-Fi and Bluetooth activity, could be purchased from commercial data brokers and used to track individuals’ movements, sometimes with limited judicial oversight. The U.S. Supreme Court’s landmark 2018 ruling in Carpenter v. United States subsequently held that accessing historical cell-site location records constitutes a search under the Fourth Amendment, but the commercial data broker market has continued to evolve, and the legal boundaries around purchased location data remain contested as of June 2026. The NSA’s own guidance echoes these concerns, warning that convenience features tied to location, such as background network scanning and device-finding services, can double as surveillance vectors.
What the guidance does not tell you
The NSA’s advisory is clear about what to do but less forthcoming about how often these attacks actually happen to ordinary people. The agency has not published incident counts, breach statistics, or case studies that would let an outside analyst measure the real-world frequency of Bluetooth or Wi-Fi exploitation in public settings. Its recommendations rest on threat modeling and the known technical attack surface rather than a public accounting of confirmed incidents.
There is also no data on how many people follow the advice. Industry behavior suggests most do not: both iOS and Android ship with Wi-Fi and Bluetooth enabled by default and actively encourage pairing with wearables, vehicles, and smart home devices. The NSA has not released any study measuring whether its guidance has shifted user habits since publication.
The advisory also does not rank its recommendations by impact. Turning off unused radios obviously prevents attacks that require an active signal, but how does that compare to keeping your operating system updated, using strong authentication, or running a reputable VPN on public networks? Users trying to prioritize are left to infer that disabling radios is one layer in a broader defense-in-depth strategy, not a standalone fix.
How to actually do it on your phone
On iPhone (iOS 17 and later): Open Settings, tap Wi-Fi, and toggle it off. Then go back to Settings, tap Bluetooth, and toggle that off as well. Note that using the Control Center toggles only disconnects you from current networks and devices; it does not fully disable the radios. To truly turn them off, you need to go through the Settings app. NFC on iPhones is not user-togglable in the traditional sense. It activates automatically for Apple Pay and certain app interactions but does not broadcast continuously the way it can on Android.
On Android (varies by manufacturer, but generally): Pull down the notification shade and long-press the Wi-Fi icon to reach full settings, then toggle Wi-Fi off. Do the same for Bluetooth. For NFC, go to Settings, then Connected Devices or Connections (depending on your phone maker), and toggle NFC off. On most Android phones, the quick-settings tile for Wi-Fi and Bluetooth does fully disable the radio, unlike on iPhone.
A practical middle ground: rather than leaving radios on around the clock, build the habit of toggling them on only when you need them. Turn on Bluetooth when you are ready to use your headphones. Connect to Wi-Fi at home or at a network you trust. Switch both off when you walk out the door. It adds a few seconds of friction to your routine, but it closes the window that the NSA is warning about.
Why this matters beyond the technical details
The deeper issue is not any single vulnerability. It is that smartphones are designed to be perpetually connected, and that design priority runs directly against the security principle of minimizing your exposure. Every wireless radio that stays on in a public space is a door left unlocked, not because someone will definitely walk through it, but because you have no way of knowing who is standing on the other side.
The NSA, NIST, and independent security researchers all converge on the same point: convenience features that run silently in the background can be repurposed by adversaries, data brokers, and surveillance operations. You cannot control who is within range of your phone at a train station or a conference hall. But you can control whether your phone is actively reaching out to them. Flipping a toggle is one of the few security decisions that costs nothing, requires no technical expertise, and remains entirely in your hands.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
