I recently got a pair of Pixel Buds, primarily for noise cancellation and uniformity, but using them for NewPipe in the background would be convenient. While I ordered them directly from the Google Store, they came from a generally trusted supply-chain, it appeared confidently unopened, and all the serial numbers matched, it interests me to ask this any way:
To what extent could a malicious Bluetooth device, like a pair of earphones, if modified by an adversary, be used to compromise a GrapheneOS device? From my limited searches, it would appear Bluetooth devices are limited to what their input device type is (e.g Audio, HID, keyboard input etc) and the permissions you grant them, but I keep getting mixed results from the discussions around possible attack surfaces - like the potential for a device to relay media (other than audio; video, microphone etc), or be used as an input method (for keys or applications), or even for a multi input device to register as one input and use others. I would imagine GrapheneOS already would account for this, ensuring that if I connect a device that is registered as an audio device (e.g headphones), even if the hardware or firmware on that device is modified (of the Bluetooth device, not GrapheneOS), it can't then be used for other inputs given the Operating System, even if it were in actuality multi input (such as if this were obfuscated; presented as headphones, but actually multi input), but as I said, I keep getting mixed results from various discussions.