Third-parties can locate active Bluetooth devices and thereby the people using those device


Bluetooth devices could be giving away your location.

That is what Boston University researchers discovered in their explorations, which are detailed in their paper, “Tracking Anonymized Bluetooth Devices” by Johannes Becker, David Li and David Starobinski, in Proceedings on Privacy Enhancing Technologies.

The authors reported that they devised a method for tracking Bluetooth devices despite built-in protections.

They were at the Privacy Enhancing Technologies Symposium in Stockholm, where they made their work known: a third-party algorithm could track the location of some Bluetooth devices.

The Brink, a site focused on research from Boston University, discussed the team’s findings on July 17.

Team member Becker was asked what made them chase this topic.

“We were looking into different IoT protocols in general and trying to find privacy issues with those products,” Becker told The Brink.

“Basically everybody is carrying around a Bluetooth device nowadays in some way, shape, or form, and that makes it very relevant.”

The Brink said that since the payload information updates at a different rate than the address information, the communication blips between Bluetooth devices paint an identifiable pattern.

Having discovered this vulnerability, the researchers decided to test out how well it could be used by a third party to track individual devices.

PCMag India: When you connect two devices through Bluetooth, one of them acts as the main part of the connection and the other the peripheral, sending out data associated with the connection including a randomized address, which is like the IP address on your laptop or PC, to the main device.

A sniffer algorithm can be used to decode the randomized. address even though this randomized address gets reconfigured regularly.

“While this doesn’t divulge personal information, it can allow third-parties to locate active Bluetooth devices and thereby the people using those devices.

Theoretically, this issue can be leveraged to track the location of any Bluetooth-enabled device, be it a phone, smartband or a headphone,” said PCMag India.

Also discussing this Bluetooth research was Ravie Lakshmanan in TNW:

To make device pairing easy, BLE (stands for Bluetooth Low Energy) uses public non-encrypted advertising channels to announce presence to nearby devices.

The protocol originally attracted privacy concerns for broadcasting permanent Bluetooth MAC (Media Access Control) addresses of devices – a unique 48-bit identifier – on these channels.

However, BLE tried to solve the problem by letting device manufacturers use a periodically changing, randomized address instead of a permanent MAC address.

So, devices may use a periodically changing, randomized address and not their permanent Media Access Control (MAC) address.

And there’s the rub: The authors showed how many devices implementing such anonymization measures could actually be vulnerable to passive tracking.

Perth-based iLounge on Friday translated what that might mean: “A recent flaw in Bluetooth technology allows individuals to track Apple Watches, Macs, iPads and iPhones. Tablets and laptops running Windows 10 and Fitbit wearables are also vulnerable, but for some reason Android devices are unaffected.”

Android was found to be unaffected by all this.

The researchers stated in their paper that “We describe a tracking vulnerability that affects Windows 10, iOS, and macOS devices as long as they are continuously observed by the adversary.”

Android devices do not appear to be vulnerable to our passive sniffing algorithm, as they typically do not send advertising messages containing suitable identifying tokens.”

What to do?

Samantha Wiley in iLounge said the solution was not complicated, just “shut off your Bluetooth off and back on if you’re worried about being tracked.

This can be done via System Settings on the macOS’ menu bar or in the Settings of your iPhone.

The Brink similarly said thwarting this security gap “can be as simple as turning off and back on your device’s Bluetooth connection, at least in the case of Windows 10 and iOS devices.”

Privacy and security concerns over Bluetooth date back to its very first release [23]. Anonymizing devices in pub- lic channel communication only became available with the introduction of BLE in Bluetooth 4.0 [6].

A lot of re- search regarding the effectiveness of MAC address ran- domization is focused on Wi-Fi, where the same privacy concern of broadcasting permanent identifiers exists, but vulnerabilities are often not easily transferable to the Bluetooth case as they are based on different areas specific to the Wi-Fi network stack.

We will highlight some important works relating to more general cases of Bluetooth and Wi-Fi tracking concerns, as well as more BLE-specific techniques and utilities.
In 2007, Spill and Bittau [33] presented several techniques for eavesdropping on Bluetooth 2.0 com- munication using a GNU Radio-based Bluetooth snif- fer and USRP software-defined radio hardware. Their work describes an approach for intercepting packets, and reverse-engineering all the parameters required to eavesdrop on Bluetooth communication .

However, these findings only concern the Bluetooth Classic im- plementation, which is of decreasing relevance in light of BLE and Bluetooth 5.

In 2015, Jameel and Dungen presented an open- source library for scanning Bluetooth Low Energy (LE) and Active RFID advertising .

Their work sum- marizes different available Beacon protocols, which are proximity-based broadcast protocols and enable all kinds of localized interactions with smartphones and other Bluetooth devices via the BLE advertising chan- nels.

Furthermore, the authors published a library called advlib , which processes raw BLE advertising mes- sages and decodes them into an open, portable data format.

This library enables software developers to eas- ily integrate BLE advertising-based functionality into their software, without having to manually decode low- level protocols.

The library further powers the open- source “collaborative repository” Sniffypedia, which presents a large number of publicly known BLE adver- tising identifiers in a searchable and accessible format.

This platform can help classify Bluetooth device classes for reconnaissance purposes, but does not offer device tracking capabilities.

Vanhoef et al. present techniques to gain access to permanent MAC addresses by exploiting probe requests in Wi-Fi.

They develop an algorithm which relies on timing features and sequence numbers found in Wi-Fi probe requests to identify devices regardless of their MAC address.

They further describe a variant of the Karma Attack – exploiting the fact that many devices will expose information to supposedly known and trusted networks by creating a catch-all access point – which creates large numbers of popular Wi-Fi networks in order to invite devices to connect, often presenting their permanent MAC address in a supposedly trusted context.
Issoufaly and Tournoux show that despite the existence of privacy-preserving MAC address random- ization in Bluetooth 4.0 LE, not all devices make use of this functionality and are therefore vulnerable to tracking.

Furthermore, they showed how maliciously distributing suitable tracking software to a number of mobile devices – a “BLE Botnet” – extends tracking capabilities far beyond the local transmission range of regular Bluetooth communication.

Combining BLE pri- vacy with the notion of a potentially global botnet motivates our work as it extends the privacy threat from local presence detection to large-scale location tracking, which would be realistic to implement for nation-state actors.

While Issoufaly and Tournoux focus on track- ing devices that use static device addresses, our work focuses on tracking devices that use dynamically ran- domized addresses.

These addresses change depending on regeneration parameters set by their manufacturers.

Along the same line, Martin et al. show that MAC address randomization is often defeated by not be- ing implemented properly or consistently, partly build- ing upon previous approaches .

Furthermore, they show flaws in the address randomization of Android phones, which allow the deduction of device types via address prefixes, as well as their global MAC address via information found in broadcasted WPS attributes.

They also identify a control frame attack that exposes the permanent Wi-Fi MAC address of a device with 100% success rate.

Our approach differs in that we do not  retrieve  information through reversal of hashes or other reverse-engineering methods, and we use entirely passive sniffing to generate insights which allow device tracking.

Our tracking method, based on extracting identifying tokens in the payload of advertis- ing messages, leverages specific Bluetooth features and differs from this previous line of work.

3 Background
Bluetooth is a wireless communication protocol on the 2.4 GHz ISM band. Our focus lies on the Low Energy specification, which was introduced in 2010 with Bluetooth 4.0.

Bluetooth LE (BLE) is optimized for small, often battery-powered devices with relatively strict energy restrictions, like connected wearables, wire- less smart sensors, or computer accessories like digital pencils.

The Bluetooth 5 Specification adds various fea- ture and performance improvements, notably a larger communication range, which allows for up to 780 meters of line-of-sight connectivity.
We focus on introducing the elements that are es- sential for the experiments described in the following Sections. We refer to Heydon for a general high-level introduction to the Bluetooth 5 architecture and the Bluetooth 5 Core Specification for details.

Fig. 1. The Link Layer State machine [20, p. 15].

3.1 Physical Layer and Link Layer
BLE operates on 40 physical channels spaced in 2 MHz steps from 2402 MHz to 2480 MHz [8, p. 2535f.]. Three of these channels are so-called advertising channels at 2402 MHz, 2426 MHz, and 2480 MHz – frequencies with minimal interference with other 2.4 GHz band traffic (notably Wi-Fi) .

These channels are used to broadcast advertising messages, which may be simple periodic, presence announcements, scanning requests to- wards other devices, beacons containing location-based metadata, and other public broadcast-type information.

The remaining channels are used primarily for data transmissions between paired devices and employ a pseudo-random channel hopping scheme, which is negotiated between the two connected parties upon connection to avoid interference with other ISM band traffic.

On the link layer, Bluetooth defines different states, shown in Figure 1.

In the Advertising state, the link layer creates Advertising Events which are broadcasted on all advertising channels. These events contain differ- ent types of Payload Data Units (PDU)1.

In our work, the following PDU types are relevant:

– the Connectable Directed Event using the ADV_DIRECT_IND PDU, which invites a specifically addressed device to initiate a connection.
– the Connectable and Scannable Undirected Event using the ADV_IND PDU, which allows any device to respond with scanning requests or connection re- quests.

In the Scanning state, the link layer receives adver- tising messages without responding (passive scanning) or responds with scan requests to inquire about further device details (active scanning).

In  the  Ini- tiating state, the link  layer  listens  for  advertising  mes- sages,  and  sends  Connect   Requests   to advertising  devices.

If the requested device responds, the devices can enter a Connection state.

In the Connection State, devices implementing the so-called Central role can connect to  up  to  8  Periph- eral role devices as their Master, while Peripheral devices can connect to one Central role device as a Slave.

Smartphones or PCs are typical Central role devices connecting to multiple wireless input devices, activity trackers or other wireless sensors. However, devices may implement both roles and may therefore send advertising messages (Peripheral role) while scanning for adver- tising messages (Central role).

In our work, we observe devices which are in the Advertising state using an ob- server device which is in the Passive Scanning state.

More information: Johannes K Becker*, David Li, and David Starobinski, “Tracking Anonymized Bluetooth Devices,” Proceedings on Privacy Enhancing Technologies ; 2019 (3):50–65. … popets-2019-0036.pdf


Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.