These devices – including both Apple and Microsoft Bluetooth devices – advertise their availability on open channels, and this opens the way for global device tracking. With spyware in the IoT becoming a major source of concern for cybersecurity researchers, this new research indicates that the problem may be even larger than we imagined.
The paper describes a methodology for identifying Bluetooth devices, even when their MAC addresses are hidden or randomized.
In early implementations of the Bluetooth protocol, devices ‘advertised’ their presence by broadcasting data on so-called ‘advertising channels’. This system was designed to allow Bluetooth devices to be paired easily but had some significant security vulnerabilities.
Specifically, devices sent their Bluetooth MAC address to these channels. This is a permanent address, and so anyone within a few meters of the device was able to collect a unique identifier. This could then be used to track a Bluetooth device wherever it went.
In order to combat this problem, the Bluetooth Low Energy standard moved away from using open MAC addresses. Instead, devices using the protocol are given randomized, temporary addresses. These were believed to make newer Bluetooth devices untrackable.
The problem now, as the new research points out, is that many of these same devices also use dynamic identifying tokens. These are unique to each device, and they stay static for long enough to be used as a secondary form of identification. This is because these tokens do not change at the same time as randomized MAC addresses, allowing one randomized address to be associated with another via the token.
This means that anyone can uniquely identify any devices they are in Bluetooth range of, and potentially track their activity.
Which devices are affected?
The team behind the research built a system to uniquely identify Bluetooth devices across a test network. The way they did this was remarkably, worryingly simple.
Their system is essentially a packet sniffer with a pretty basic algorithm attached. It listens to network traffic over the BLE interface and keeps a log of MAC addresses. It also extracts dynamic identifying tokens for each connected device. Every time it sees a new MAC address, it checks to see if the new address is associated with an existing token.
Because tokens and addresses do not change at the same time on many devices, the algorithm can then match the new MAC address to the old MAC address of the same device. This means that activity can be identified as coming from one, unique device.
The researchers tested a wide variety of devices, including both Windows and Mac computers, and iPhones. The results varied slightly across these devices, but are still a cause for concern:
“The algorithm succeeds consistently on Windows 10 and sometimes on Apple operating systems,” according to the report. “In both cases, the respective identifying tokens change out of sync with the advertising address. In the Windows 10 case, there is no evidence of any synchronization by design. In the Apple case, it seems that there exist mechanisms to synchronize updates of identifying tokens with address randomization, but they occasionally fail.”
The broader concern is that, if laptops and smartphones are identifiable in this way, then more basic Bluetooth devices (like those that power the IoT) are also likely to be vulnerable to this kind of exploit.
The problem(s) with Bluetooth
In the broadest context, Bluetooth is a technology that has never really reached its full potential, not least because there remain significant security holes in the system.
This has not slowed down the rise of Bluetooth, though. Adoption of the technology is projected to grow from 4.2 to 5.2 billion devices between 2019 and 2022, with over half a billion amongst them wearables and other data-focused connected devices. While the average BLE range is around 10 to 20 meters (though it has a theoretical range of up to 100 meters), an attacker could extend his reach via a botnet, the researchers said.
The ability to identify individual devices might not sound that important for the average Bluetooth user, but it potentially gives attackers (and surveillance agencies) a powerful tool that can be used to launch more sophisticated forms of attack. Back in 2017, for instance, CSO online reported on a Bluetooth worm that used similar techniques to spread.
More generally, Bluetooth surveillance is becoming a concern because, as more and more devices use Bluetooth connectivity, identifying Bluetooth signals allows a hacker to pinpoint ALL network traffic passing to and from devices. Achieving this defeats a wide range of security technologies, including the much-hyped secure browsers, and is a common starting point for most of the common types of cyberattack.
These problems are unlikely to go away anytime soon, either. The meteoric rise of IoT devices in recent years means that there are millions more devices connected via Bluetooth. In addition, IoT device manufacturers have often prioritized ease of use and connectivity over security concerns. Even worse, many of these IoT devices are now connected to critical hardware, making the consequences of a Bluetooth hack even worse.
Avoiding Bluetooth tracking
When it comes to avoiding the kind of tracking that the paper reported, there is some good news and some bad news. The good news is that Android devices appear to be completely unaffected by this exploit.
The bad news is that, if you own another type of device, there is currently no way of using Bluetooth without opening yourself up to this kind of hacking. Hopefully, manufacturers will patch the vulnerability now that the research has been made public, but until then the standard advice applies: Only use Bluetooth when you have to, and make sure that you encrypt all the data passing between your devices and wider networks.
Copyright © 2019 IDG Communications, Inc.