Hi Marcus, instead of turning the Bluetooth off when devices connect to IC2, what do you think if IC2 allows you to turn off the Bluetooth on devices you select?
May I comment, @Michael? We would support @mldowling’s request to have Bluetooth off by default. The majority of our customers do not use IC2 and having it on and Bluetooth is simply not needed. We are not excited about the idea of having equipment sitting around with Bluetooth turned on and not in use.
1 Like
The whole idea of adding a BLE on B One is to allow easier setup with the Peplink App. I understand this might not be needed for MSP customers using the B One. Hence we suggest to use IC2 to turn off the BLE.
We do not intend to add BLE on other models except the B One.
Good. Most of our customers and others we know do not use IC2 and also do not use the Peplink “app.” So, we must either turn it off for them or instruct them as to how to do it via the support.cgi menu. Sorta clunky. ;<) Bluetooth on when not needed merely elevates the RF noise floor and represents an additional attack surface.
1 Like
Bluetooth needs to be off by default for all routers. It is no longer a choice for many organisations in Australia (and most of the world). As a long-standing Peplink Partner, successful integrator, and compliance-focused stakeholder in the Australian market, I must escalate the router’s Bluetooth being enabled by default as a critical security breach.
Bluetooth Must Be Disabled by Default in Australia
When the Peplink B One router broadcasts over Bluetooth by default without user activation or adequate disclosure, it constitutes a cybersecurity and compliance risk under Australian Government guidance and global information security standards.
- ASD & ISM Guidelines - Australian Legal & Regulatory Compliance
According to the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD), any wireless interface (such as Bluetooth) must be disabled unless explicitly required.
- ISM Control Guidelines - Mobile Devices:
“Wireless technologies that are not required should be disabled. This includes Wi-Fi, Bluetooth and NFC capabilities.”
- ASD Blueprint for Secure Workstations (Windows Endpoint Guide):
The guide clearly states that unused I/O or radio communication capability (including Bluetooth) should be hardened or disabled to maintain a secure state.
Source: https://blueprint.asd.gov.au/design/endpoints/windows/hardware/drivers-and-peripherals/
Disabling Bluetooth by default is more than best practice - it is now a mandated and legally enforceable compliance with these government requirements in Australia.
- ISO/IEC 27001 - Global Risk-Based Control Standards
Under ISO/IEC 27001:2022 (Annex A.8, A.13), any unused communication functionality that may introduce risk must be disabled unless explicitly required and documented.
Bluetooth interfaces that broadcast by default:
-
Create unnecessary attack surfaces
-
Complicate risk assessments
-
Impede auditability
-
Undermine conformance with controls such as A.13.1.1 (network controls) and A.9.4.1 (access control to networks and services)
Source: https://www.iso.org/standard/27001.html
- SOC 2 - Trust Services Criteria
In SOC 2-compliant environments (e.g. managed service providers or ISPs), broadcasting a non-disclosed, unmanaged Bluetooth service may violate:
-
Security and confidentiality principles
-
Access control requirements
-
Change management and monitoring expectations
Peplink devices that broadcast Bluetooth by default could fail external audits if wireless controls are not configurable and documented.
Source: https://www.aicpa.org/resources/article/trust-services-criteria
- Industry Best Practices & Reasonable Expectations
Modern zero-trust and secure-by-design principles require:
-
All radios (Bluetooth, NFC, Wi-Fi) to be off by default
-
Activation requires administrator consent, logging, and remote management
-
In this case, the Bluetooth broadcast:
– Was not configurable
– Was undocumented
- Created confusion and potentially exposed a new attack surface
Reference to this thread: https://forum.peplink.com/t/why-is-my-new-b-one-broadcasting-on-bluetooth-as-peplink-api-service/47497
Recommendations for Peplink to Undertake:
-
Disable Bluetooth by default on all models, especially in regulated markets like Australia and other countries with mandated security frameworks.
-
Clearly document all wireless services in user manuals and product specs, including details of the Bluetooth modules and chipsets with warnings (e.g., yellow risk triangle) about radio components. Documentation must be distributed for all new and existing stock.
-
Enable centralised Bluetooth control via InControl2 ensuring Bluetooth remains disabled unless explicitly enabled by the customer.
-
Log and retain audit entries for Bluetooth configuration changes when enabling (& disabling), with a recommended minimum one-year retention period on those logs.
Action Requested
We have to request that Peplink promptly enforce the disablement of Bluetooth on all Peplink routers by default. This is not just a feature request; it is now a matter of compliance, security, and trust. To meet ASD mandates and global standards such as ISO27001 and SOC 2, Peplink must take immediate and proactive steps.
I greatly support Peplink’s ongoing development, though this must be fixed immediately.
Have a good week,
Marcus 
4 Likes
On unifi, BT is only enabled during initial out-of-box setup, and then turns off.
If the intention is to assist users during initial setup, then how about a radio selection to turn bluetooth api off, after login and after changing the password?
1 Like
May be we should offer a variant of the B One that has no Bluetooth for the Professional / MSP market. The original position of the B One is a prosumer router and it can be configured by most non-technical people with the Peplink App. We wasn’t aware the MSP market love this product that much.
Now it looks like we should have a variant like B One SE that has no Bluetooth. Would this make everyone happy?
In the mean time, we could take Jonathan’s suggestion to turn the Bluetooth off right after the initial setup.
Again, the Bluetooth is only on B One. It is not inside other models which are intended for professional markets.
3 Likes
I don’t think adding another sku makes sense.
Again unifi has it enabled by default, then turns off after setup.
@mldowling thoughts?
1 Like
A separate SKU doesn’t seem necessary.
To properly set up this device requires more than a passing familiarity with networking. Let me put it this way: If someone was going to set up a B One for me and said that they needed the simplicity of an app to get started, I wouldn’t trust them to touch my router settings at all.
The app is a nice idea for a very simple device perhaps, but not this one. So my suggestion is to have Bluetooth disabled on the device, or just completely disable it in subsequent firmware.
3 Likes
I disagree, setting it up via the app worked just fine for me and would for 99% of prosumer users. You’re looking at it as all of the capabilities of the enterprise firmware requires deep knowledge, setting up the equivalent of a Netgear router takes a few clicks in the app, even doing per-app QoS is simple.
Well, perhaps I spoke a bit too hastily, especially because I haven’t used the app.
I’m not saying that the app isn’t perfectly useful, only that if you want to take advantage of the features that are above and beyond what a Netgear will provide, then surely you have enough technical skills to not need Bluetooth enabled out of the box.
If you’re a prosumer, then you’re highly likely to be able to configure the B One without a problem. For instance, if you know what QoS means, then you don’t need Bluetooth enabled by default.
1 Like
Hello @Alex,
How quickly could we get firmware that does this?
Almost all of our customers with the Peplink B One are managed via InControl2, so we are interested in how quickly InControl2 can be evolved to disable Bluetooth by default once the device is registered with the InControl2 platform.
Have a good day,
Marcus
Hi all,
We have decided to disable Bluetooth on the devices in the next firmware release after they have received or applied its initial configuration. Therefore, no IC2 configuration will be necessary for this. We will update you when there is an ETA.
While we have made our utmost effort to ensure Bluetooth does not pose a vulnerability for our product, you may still wish to disable it immediately. To do so, please navigate to the web administration path “/cgi-bin/MANGA/support.cgi”.
The B One is designed for prosumer customers, and its Bluetooth discovery mechanism significantly enhances the initial setup user experience. We aim to retain this feature. If you prefer not to have it enabled by default, we recommend considering our other product models. We appreciate your understanding.
2 Likes
Ya… Precisely, we would have the following logic. If the initial configuration is done via Bluetooth, we would keep it on. If not, we shall turn off right after the initial configuration aka force admin password change.
Please raise if you have other questions or concerns. 
4 Likes
Sounds great! Works for me.
1 Like