Every smartphone sold in the United States ships with Wi-Fi, Bluetooth, and near-field communication turned on by default. The National Security Agency has repeatedly told users to switch all three off whenever they are not actively needed, calling it a baseline step to reduce tracking and unauthorized access. That advice has not changed, and parallel warnings from other federal and allied agencies reinforce the same point: the setting most people never touch is the one that keeps their phone broadcasting signals to every nearby receiver, whether they are at a coffee shop, an airport, or walking down a city block.
What is verified so far
The NSA published formal guidance on securing wireless devices in public settings, listing a minimum recommendation: disable Wi-Fi, Bluetooth, and NFC when not in use. The document was aimed at teleworkers and travelers connecting to public networks, but its scope covers any consumer smartphone. A separate NSA release on limiting location data exposure tied the same three radios, along with GPS, to the way a phone can reveal its owner’s position even when apps are closed. Together, the two documents form the agency’s clearest public case that always-on wireless defaults create a persistent security gap.
Federal civilian agencies echo the recommendation. The Cybersecurity and Infrastructure Security Agency states in its own Bluetooth explainer that the best practice is to disable Bluetooth when you are not using it. CISA also maintains a consumer-focused mobile device checklist that treats turning off unused radios as a standard hardening step. The Department of Homeland Security’s Science and Technology Directorate published a mobile device security study, mandated by law, that catalogs threat categories tied to wireless interfaces on consumer phones. And the National Institute of Standards and Technology addressed the same risk surface in its mobile device security guidance for bring-your-own-device environments, reinforcing the practical rationale for disabling exposure-increasing defaults.
Outside the United States, the United Kingdom’s National Cyber Security Centre states that “for short-range wireless interfaces such as Bluetooth, if not required then disable them.” The consistency across agencies and borders is notable: no government body with published mobile security guidance has contradicted the recommendation. Instead, the pattern is one of cautious alignment, with each organization independently concluding that leaving short-range radios on around strangers and untrusted infrastructure expands the attack surface with little benefit.
What remains uncertain
No public dataset from the NSA, CISA, or any other federal agency quantifies how many Americans actually leave Bluetooth or Wi-Fi enabled at all times. The claim that “most Americans” keep these settings switched on rests on the observable fact that both features ship enabled on iPhones and Android devices and that toggling them off requires deliberate user action, but there is no published survey or telemetry study from a government source that attaches a specific percentage to that behavior. Without that data, the scale of real-world exposure is an informed assumption rather than a measured finding.
The DHS mobile device security study provides threat categories but does not include device-level telemetry or long-term user behavior metrics. NCSC and NIST documents cite policy rationale for disabling radios without publishing raw incident logs or exploit samples tied to default settings being left on. That means the agencies agree on the risk in principle, yet none has released granular evidence showing how often, or in what specific scenarios, always-on Bluetooth or Wi-Fi has led to a confirmed compromise of a consumer device.
A related gap involves the difference between theoretical and demonstrated risk. Security researchers have shown in controlled environments that a phone broadcasting Bluetooth beacons in a dense urban area generates significantly more trackable data points than the same phone with Bluetooth off. Translating that laboratory finding into a reliable estimate of real-world harm, however, requires controlled wardriving studies and app-log analysis that no government agency has publicly released. It also depends on variables that are difficult to standardize, such as how often a user visits the same locations, which apps are installed, and how aggressively third-party advertisers collect and correlate identifiers.
Another uncertainty is the balance between usability and security. Agencies recommend disabling radios when not needed, but they do not specify how often an average user can realistically do this without breaking core functions such as wireless headphones, smartwatch pairing, or transit ticketing. The guidance is clear about the direction of risk but silent on the practical frequency with which people should toggle settings in day-to-day life.
How to read the evidence
The strongest evidence here is procedural, not forensic. The NSA, CISA, NIST, DHS, and the UK’s NCSC all independently published the same minimum control: turn off wireless radios you are not using. That level of cross-agency agreement is unusual and carries weight precisely because these organizations rarely coordinate public messaging on consumer device hygiene. When five separate bodies converge on identical advice, the underlying threat model is well established even if the case studies remain classified or unpublished.
Readers should distinguish between two types of sources in this discussion. The NSA and CISA documents are primary guidance, written for direct public consumption and hosted on official government domains. News articles, blog posts, and opinion columns that reference those documents are secondary sources that interpret or amplify the original recommendations. When evaluating whether the advice still applies, the primary documents are the controlling reference. The NSA guidance has not been rescinded or updated with a weaker recommendation, so the standing instruction remains: disable Wi-Fi, Bluetooth, and NFC when they are not actively needed, especially in public or untrusted environments.
At the same time, the absence of detailed public incident data means readers should be cautious about overstating the known harms. The published record supports a clear conclusion that leaving radios on increases theoretical exposure to tracking and certain classes of attacks. It does not, on its own, support precise claims about how many people have actually been compromised through those channels or how often such attacks occur in the wild. Responsible interpretation keeps both points in view: the guidance is strong and consistent, but the quantified risk remains largely inferred.
For individual users, the practical takeaway is straightforward. Treat wireless settings as dynamic controls rather than fixed defaults. Turning off unused radios will not make a smartphone invulnerable, but it narrows the number of doors an attacker or data broker can try. Until agencies publish more granular evidence that justifies relaxing that posture, the conservative reading of the record is that the original advice still stands and is likely to remain the baseline for the foreseeable future.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
