Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/17/2019
03:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Bluetooth Bug Enables Tracking on Windows 10, iOS & macOS Devices

Researchers discover a third-party algorithm in multiple high-profile Bluetooth devices exposes users to third-party tracking and data access.

A team of Boston University researchers has discovered a vulnerability in several modern, high-profile Bluetooth devices that can make location and other sensitive data available to third parties.

The vulnerability exists in devices running Windows 10, iOS, and macOS, as well as Fitbit and Apple Watch smartwatches, reports David Starobinski, professor of electrical and computer engineering in the Boston University College of Engineering, and Johannes Becker, a Ph.D. candidate and graduate researcher. They discovered the bug while exploring ways to capture Bluetooth traffic.

"It came by accident when we started to analyze the data," Starobinski says. While researching wireless security and privacy using software-defined radio, they discovered they could track devices that were supposed to be anonymizing their identity to protect the user's location.

Bluetooth Low Energy (BLE), a fairly recent variant of Bluetooth, uses nonencrypted advertising channels to announce a device's presence to other Bluetooth devices. The use of these public channels initially sparked privacy concerns; to address those, devices may use a randomized, periodically changing address instead of their permanent Media Access Control (MAC) address. Manufacturers can decide when, and how often, to randomize the unique address of a device.

"It's a new feature Bluetooth LE introduced to prevent tracking," says Becker. Because BLE lets devices continuously broadcast their presence, randomization is intended to ensure third parties don't track a single address. But researchers found an oversight in this methodology that would allow attackers to track the device type or other data from a manufacturer. Even as randomization changes the device's address, some identifiers of a device don't change with it.

When two Bluetooth devices connect, the "central" device — an iPhone, for example — scans for signals sent by a peripheral device to see if it's available to connect. These signals, or advertisements, contain the device's random address and information about the connection. Researchers found this data updates at a different rate than the random address; as a result, attackers could potentially detect a pattern in the communication between Bluetooth devices.

"In this data that is typically sent in these advertising messages, we found that even without trying to reverse engineer what is in this data, or what this data is for … we can identify chunks in the advertising data that we can abuse as secondary identifiers, whether or not they were meant as identifiers," Becker explains. Data unique to the device could appear random to a bystander but if it remains persistent, it can be treated as an identifier by a cybercriminal.

"If the advertising address is randomized but payloads aren't randomized at the same time, we can use these payload pieces as identifiers to jump to the next random address," Becker says, explaining how a specific device can be tracked over time.

To test their findings on third-party devices, the team used a modified version of a BLE "sniffer" algorithm, which passively listens to Bluetooth advertisements and doesn't actively engage in communication. They found Android devices aren't vulnerable to this type of exploitation as they don't transmit advertising messages containing suitable identifying tokens. However, people using iOS, macOS, Windows 10, and Fitbit devices are exposed, they report.

"We don't exploit any flaws in randomization, but we exploit the fact that some payloads stay constant while the address changes are unique enough to jump to the next address," Becker adds. "For some devices we can extend trackability well beyond what the manufacturer intended." The bug doesn't put personal data at risk; however, researchers warn of the feasibility of BLE-based botnets or large-scale tracking via compromised Wi-Fi routers.

This vulnerability affects different devices in different ways. Windows devices, for example, randomize the address regularly and the content of advertising messages changes every hour or so, says Becker. iOS and macOS devices structure their signals in a different way and can have different types of content. Wearables and Internet of Things devices like Fitbits and smart pens don't show address randomization, a sign that attackers wouldn't need the algorithm to track them.

Becker says researchers did responsible disclosure with Microsoft and Apple in the fall. Both acknowledge this as a problem but have not yet addressed it.

From a technical perspective, this is "actually pretty easy to exploit," says Becker. While researchers were able to test their methodology on devices in their natural state, they couldn't detect whether this is happening in the wild because "it's an entirely passive attack," he adds. It's impossible for people to tell whether their devices are being tracked in this way.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/22/2019 | 8:19:41 AM
Similar problems identified earlier

BlueBorne Attack Highlights Flaws in Linux, IoT Security (Past Article about Bluetooth)

It seems there is some level of consistency from Windows and Linux, so this tells me that the Bluetooth protocol is flawed, we need to include encryption as part of the communication process to ensure secured communication between the receiver and sender.

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...