I might be misremembering technologies, but I think in BT the incoming connection can directly execute commands on your device without any kind of identification/authorization.