diff --git a/debian/control b/debian/control
index 262b04a..38bad35 100644
--- a/debian/control
+++ b/debian/control
@@ -72,7 +72,10 @@ Description: enhances misc security settings
   * The kernel now panics on oopses to prevent it from continuing running a
  flawed process.
  .
- Requires every module to be signed before being loaded. Any module that is
+  * Bluetooth is blacklisted to reduce attack surface. Bluetooth also has
+ a history of [security concerns](https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns).
+ .
+  * Requires every module to be signed before being loaded. Any module that is
  unsigned or signed with an invalid key cannot be loaded. This makes it harder
  to load a malicious module.
  /etc/default/grub.d/40_only_allow_signed_modules.cfg
diff --git a/etc/modprobe.d/blacklist-bluetooth.conf b/etc/modprobe.d/blacklist-bluetooth.conf
new file mode 100644
index 0000000..ca8c419
--- /dev/null
+++ b/etc/modprobe.d/blacklist-bluetooth.conf
@@ -0,0 +1,3 @@
+# Blacklists bluetooth.
+install bluetooth /bin/true
+install btusb /bin/true