A team of Boston University researchers has discovered a vulnerability in several modern, high-profile Bluetooth devices that can make location and other sensitive data available to third parties.
The vulnerability exists in devices running Windows 10, iOS, and macOS, as well as Fitbit and Apple Watch smartwatches, reports David Starobinski, professor of electrical and computer engineering in the Boston University College of Engineering, and Johannes Becker, a Ph.D. candidate and graduate researcher. They discovered the bug while exploring ways to capture Bluetooth traffic.
"It came by accident when we started to analyze the data," Starobinski says. While researching wireless security and privacy using software-defined radio, they discovered they could track devices that were supposed to be anonymizing their identity to protect the user's location.
Bluetooth Low Energy (BLE), a fairly recent variant of Bluetooth, uses nonencrypted advertising channels to announce a device's presence to other Bluetooth devices. The use of these public channels initially sparked privacy concerns; to address those, devices may use a randomized, periodically changing address instead of their permanent Media Access Control (MAC) address. Manufacturers can decide when, and how often, to randomize the unique address of a device.
"It's a new feature Bluetooth LE introduced to prevent tracking," says Becker. Because BLE lets devices continuously broadcast their presence, randomization is intended to ensure third parties don't track a single address. But researchers found an oversight in this methodology that would allow attackers to track the device type or other data from a manufacturer. Even as randomization changes the device's address, some identifiers of a device don't change with it.
When two Bluetooth devices connect, the "central" device — an iPhone, for example — scans for signals sent by a peripheral device to see if it's available to connect. These signals, or advertisements, contain the device's random address and information about the connection. Researchers found this data updates at a different rate than the random address; as a result, attackers could potentially detect a pattern in the communication between Bluetooth devices.
"In this data that is typically sent in these advertising messages, we found that even without trying to reverse engineer what is in this data, or what this data is for … we can identify chunks in the advertising data that we can abuse as secondary identifiers, whether or not they were meant as identifiers," Becker explains. Data unique to the device could appear random to a bystander but if it remains persistent, it can be treated as an identifier by a cybercriminal.
"If the advertising address is randomized but payloads aren't randomized at the same time, we can use these payload pieces as identifiers to jump to the next random address," Becker says, explaining how a specific device can be tracked over time.
To test their findings on third-party devices, the team used a modified version of a BLE "sniffer" algorithm, which passively listens to Bluetooth advertisements and doesn't actively engage in communication. They found Android devices aren't vulnerable to this type of exploitation as they don't transmit advertising messages containing suitable identifying tokens. However, people using iOS, macOS, Windows 10, and Fitbit devices are exposed, they report.
"We don't exploit any flaws in randomization, but we exploit the fact that some payloads stay constant while the address changes are unique enough to jump to the next address," Becker adds. "For some devices we can extend trackability well beyond what the manufacturer intended." The bug doesn't put personal data at risk; however, researchers warn of the feasibility of BLE-based botnets or large-scale tracking via compromised Wi-Fi routers.
This vulnerability affects different devices in different ways. Windows devices, for example, randomize the address regularly and the content of advertising messages changes every hour or so, says Becker. iOS and macOS devices structure their signals in a different way and can have different types of content. Wearables and Internet of Things devices like Fitbits and smart pens don't show address randomization, a sign that attackers wouldn't need the algorithm to track them.
Becker says researchers did responsible disclosure with Microsoft and Apple in the fall. Both acknowledge this as a problem but have not yet addressed it.
From a technical perspective, this is "actually pretty easy to exploit," says Becker. While researchers were able to test their methodology on devices in their natural state, they couldn't detect whether this is happening in the wild because "it's an entirely passive attack," he adds. It's impossible for people to tell whether their devices are being tracked in this way.