Researchers from Boston University (BU) have discovered an error in the Bluetooth communication protocol that can postpone most devices for third-party tracking and leak-identifiable data.
According to the research paper – Tracking Anonymized Bluetooth Devices – detailed by Johannes K. Becker and David Starobinski, the vulnerability affects Bluetooth devices running on Windows 10, iOS and MacOS, as well as Fitbit and Apple Watch smartwatches.
Details of the survey were presented yesterday at the 19th Symphony for improvement of privacy, Stockholm, Sweden.
The vulnerability allows an attacker to passively track a device by exploiting an error in the way Bluetooth Low Energy (BLE) is implemented to extract identifiable tokens such as the device type or other identifiable data from a manufacturer. [1
To make interconnection easy, BLE uses public non-encrypted advertising channels to announce their presence to other nearby entities. The protocol originally attracted privacy issues for the broadcast of permanent Bluetooth MAC addresses on devices – a unique 48-bit identifier – on those channels.
However, BLE attempted to solve the problem by allowing the device manufacturers to use a periodic change, randomized address instead of their permanent Media Access Control (MAC) address.
The vulnerability detected by BU researchers utilizes this secondary, random MAC address to track a device. The researchers said that "identifying tokens" present in promotional messages are also unique to a device, and remain static for long enough to be used as secondary identifiers in addition to the MAC address. The addressing algorithm utilizes the address asynchronous character and payload change, and uses unchanged identification of the tokens in the payload to track a new incoming random address back to a known entity. Thus, the algorithm for transmitting addresses transmits the target of anonymity in broadcast channels calculated by frequent address randomization.
The transfer mechanism outlined by Becker and Starobinski utilizes the identifiable token that can be attached to the current address of the next random address assigned by the device, thus making it easy for an attacker to track that particular device.
It also does not require decryption of message or destruction of Bluetooth security, as it is based entirely on public, unencrypted advertising traffic, the researchers noted.
The algorithm works by listening to incoming addresses and tokens as they are sent on BLE advertising channels. After the tokens are retrieved either by looking at the payload information or isolating a byte sequence that meets a predetermined list of requirements, the algorithm continuously checks the incoming advertising address with the existing advertising address.
If the addresses match – essentially confirm that the same device – identifying tokens are compared and updated. If they do not, a match is attempted to use some of the available catch identification tokens as a "pseudo-identity."
In the event of a successful match, the entity's identity is updated with the incoming address and thus allows the device to be tracked over addresses. If there is no match, the algorithm ends.
In their experimental tests, the researchers found that this technique works on Windows, IOS and MacOS systems. Interestingly, Android devices are completely immune to the vulnerability because the operating system never sends out the manufacturer's specific data or other potentially identifiable data in those advertising messages.
To protect devices from transmission attacks, the researchers suggest that the devices be implemented to synchronize payload changes with randomization of MAC addresses.
When adopting Bluetooth devices on a large scale, they are cautious that "establishing tracking-resistant methods, especially on unencrypted communication channels, is of crucial importance."
Read next:  Instagram hides like in 6 more countries so you can post as no one sees