Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security

// // //
02:03 PM
Larry Loeb
Larry Loeb
Larry Loeb

Bluetooth Devices Leaking Tracking Data

Researchers from Boston University found that the current version of Bluetooth Low Energy, as implemented by Apple iOS and Windows 10, leaked identifiers that allowed tracking of the device that was using BLE.

In a paper presented Wednesday at the 19th Privacy Enhancing Technologies Symposium, researchers from Boston University found that the current version of Bluetooth Low Energy (BLE), as implemented by Apple iOS and Windows 10, leaked identifiers that allowed tracking of the device that was using BLE.

Android was not found by the researchers to have this problem. BLE devices broadcast what are called "advertisements" on unencrypted, public channels (located at 2402 MHz, 2426 MHz and 2480 MHz) in order to signal their presence to other BLE devices. Windows and Apple devices perform privacy protecting measures like address randomization to hide the device's permanent MAC addresses in these broadcasts.

The problem originates when a BLE device also uses dynamic identifying tokens, which are unique to a device. They can remain static long enough to be used as secondary identifiers to the random addresses.

Due to the manufacturer's implementation of the standard, identifying tokens and the random addresses used for public identification may not change in sync on some devices.

The researchers came up with a proof of concept method that listened to the public advertising channels and tried to match a captured identifying token to a newly changed advertising address.

It didn't always work.

"The algorithm succeeds consistently on Windows 10 and sometimes on Apple operating systems," the report said. "In both cases, the respective identifying tokens change out of sync with the advertising address. In the Windows 10 case, there is no evidence of any synchronization by design. In the Apple case, it seems that there exist mechanisms to synchronize updates of identifying tokens with address randomization, but they occasionally fail."

The authors do have some specific recommendations that they propose. First is to synchronize payload changes with address randomizations. If the advertising message payload contains any type of data that could be used as an identifying token, the payload should change in sync with the address to prevent extended tracking.

Implement address randomization for low-powered devices. For some devices, especially wearables and other battery-powered sensor devices, frequently randomizing the address may be at conflict with energy constraints. The researchers think that device states which are not concerned by these constraints should be leveraged to change the address. Examples of this could include charging the battery or when a power cycle or other maintenance activity is performed.

Implement reconnection addresses for certain types of BLE peripherals. The report says that "BLE allows devices to exchange Identity Resolving Keys (IRK) which enable them to use resolvable random private addresses of each other. This allows for secure directed advertisement and connection initiation that does not leak permanent identifiers to the public. Devices which currently use an advertising approach involving static addresses (such as the Microsoft Surface Pen) should consider integrating this protocol feature into their software architecture."

For Windows 10, the paper recommends a simple workaround. They advocate one specific method, saying that " it is still possible to break address-carryover tracking on the user side by completely disabling the Bluetooth device through theWindows Device Manager and re-enabling it again. Contrary to the Windows 10 Settings page, disabling the Bluetooth device in this manner will reset both the advertising address and the payload, thereby breaking the chain." Things are simpler for iOS. Switching Bluetooth off and on in the System Settings (or in the Menu Bar on macOS) will randomize the address and change the payload.

Though the problems with Microsoft and Apple software were disclosed to the companies in November 2018, no patches have yet been issued.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-06-30
Nucleus CMS v3.71 is affected by a file upload vulnerability. In this vulnerability, we can use upload to change the upload path to the path without the Htaccess file. Upload an Htaccess file and write it to AddType application / x-httpd-php.jpg. In this way, an attacker can upload a picture with sh...
PUBLISHED: 2022-06-30
There is a buffer overflow in gps-sdr-sim v1.0 when parsing long command line parameters, which can lead to DoS or code execution.
PUBLISHED: 2022-06-30
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-3414. Reason: This candidate is a duplicate of CVE-2012-3414. Notes: All CVE users should reference CVE-2012-3414 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental u...
PUBLISHED: 2022-06-30
In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the `tagName` property of an `Ember.View` was inserted into such a string without being sanitized. This means that if an application assigns a view's `tagName` to ...
PUBLISHED: 2022-06-30
Xiaongmai AHB7008T-MH-V2, AHB7804R-ELS, AHB7804R-MH-V2, AHB7808R-MS-V2, AHB7808R-MS, AHB7808T-MS-V2, AHB7804R-LMS, HI3518_50H10L_S39 V4.02.R11.7601.Nat.Onvif.20170420, V4.02.R11.Nat.Onvif.20160422, V4.02.R11.7601.Nat.Onvif.20170424, V4.02.R11.Nat.Onvif.20170327, V4.02.R11.Nat.Onvif.20161205, V4.02.R...