Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security

7/19/2019
02:03 PM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Bluetooth Devices Leaking Tracking Data

Researchers from Boston University found that the current version of Bluetooth Low Energy, as implemented by Apple iOS and Windows 10, leaked identifiers that allowed tracking of the device that was using BLE.

In a paper presented Wednesday at the 19th Privacy Enhancing Technologies Symposium, researchers from Boston University found that the current version of Bluetooth Low Energy (BLE), as implemented by Apple iOS and Windows 10, leaked identifiers that allowed tracking of the device that was using BLE.

Android was not found by the researchers to have this problem. BLE devices broadcast what are called "advertisements" on unencrypted, public channels (located at 2402 MHz, 2426 MHz and 2480 MHz) in order to signal their presence to other BLE devices. Windows and Apple devices perform privacy protecting measures like address randomization to hide the device's permanent MAC addresses in these broadcasts.

The problem originates when a BLE device also uses dynamic identifying tokens, which are unique to a device. They can remain static long enough to be used as secondary identifiers to the random addresses.

Due to the manufacturer's implementation of the standard, identifying tokens and the random addresses used for public identification may not change in sync on some devices.

The researchers came up with a proof of concept method that listened to the public advertising channels and tried to match a captured identifying token to a newly changed advertising address.

It didn't always work.

"The algorithm succeeds consistently on Windows 10 and sometimes on Apple operating systems," the report said. "In both cases, the respective identifying tokens change out of sync with the advertising address. In the Windows 10 case, there is no evidence of any synchronization by design. In the Apple case, it seems that there exist mechanisms to synchronize updates of identifying tokens with address randomization, but they occasionally fail."

The authors do have some specific recommendations that they propose. First is to synchronize payload changes with address randomizations. If the advertising message payload contains any type of data that could be used as an identifying token, the payload should change in sync with the address to prevent extended tracking.

Implement address randomization for low-powered devices. For some devices, especially wearables and other battery-powered sensor devices, frequently randomizing the address may be at conflict with energy constraints. The researchers think that device states which are not concerned by these constraints should be leveraged to change the address. Examples of this could include charging the battery or when a power cycle or other maintenance activity is performed.

Implement reconnection addresses for certain types of BLE peripherals. The report says that "BLE allows devices to exchange Identity Resolving Keys (IRK) which enable them to use resolvable random private addresses of each other. This allows for secure directed advertisement and connection initiation that does not leak permanent identifiers to the public. Devices which currently use an advertising approach involving static addresses (such as the Microsoft Surface Pen) should consider integrating this protocol feature into their software architecture."

For Windows 10, the paper recommends a simple workaround. They advocate one specific method, saying that " it is still possible to break address-carryover tracking on the user side by completely disabling the Bluetooth device through theWindows Device Manager and re-enabling it again. Contrary to the Windows 10 Settings page, disabling the Bluetooth device in this manner will reset both the advertising address and the payload, thereby breaking the chain." Things are simpler for iOS. Switching Bluetooth off and on in the System Settings (or in the Menu Bar on macOS) will randomize the address and change the payload.

Though the problems with Microsoft and Apple software were disclosed to the companies in November 2018, no patches have yet been issued.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.