Not a developer or knowledgeable with code but I think I found a security vulnerability

[timeconsumer]

The concerns voiced here apply to Bluetooth in general, not to iPhone alone. Bluetooth has been around for a long time, and due to its widespread use, has also received substantial attention attention from security experts. For example, here's the Security section from Wikipedia's main Bluetooth article: 8 Security

Different kinds of Bluetooth devices use different, standard Bluetooth protocols. The protocol for speakers (A2DP - advanced audio distribution profile) does not include the ability to transfer contact data. The transfer of contact data requires PBAP - phone book access profile. PBAP triggers specific security protocols within iPhone (a higher level of security than if A2DP alone was in use).

Here's what Apple's iOS Security Guide https://www.apple.com/business/docs/iOS_Security_Guide.pdf has to say:

PBAP requires encrypted data, and the mobile device provides the encryption key necessary to decrypt contact data stored in the car system. When the mobile device is not present, the data cannot be decrypted. This safeguards data that may be "left behind" in a rental car.

That's not to say some clever people couldn't create a "wolf in sheep's clothing" (appears to be a Bluetooth speaker but is more than that). However, even if a trojan horse was built, the people of Troy would be asked (in effect), "Do you want to roll a wooden horse full of Greek soldiers into the city?" At that point, it ceases to be a trojan horse, and becomes simple foolishness on the Trojan's part.

Great post. I think this touches on the OP's concern. Once you give access to a Bluetooth device you have no way of knowing what it is accessing as it doesn't prompt or disclose what the Bluetooth device is accessing.

 

[lordofthereef]

So, just a question here. Doesn't the Bluetooth Speaker itself have some kind of way to handle the contacts? For example, a car has a built-in OS for showing the adress book and recent calls. Does all Bluetooth speakers really have that?

Speakers don't. But I guess there's nothing keeping someone of building something custom. The Bluetooth interface in your car is all encompassing. The address book in the car is what is requesting the addresses, not your speakers, per se. I have an older head unit in our mini Cooper that doesn't store contacts at all. I can still receive and make calls (through voice prompts) and toys doesn't look or ask for any contacts.

Again, what you're suggesting is theoretically possible, but this is completely on the user. You're much more likely to get in trouble on a fake public WiFi since.peoole have the tendency to check bank accounts, gift cards, etc and enter passwords and whatnot without thinking. Bluetooth you can get your contacts stolen, at worst. I don't know that I view this as much of an issue.