Bluetooth Flaws Could Allow Global Tracking of iOS and Windows
According to researchers at Boston University, vulnerabilities in the way Bluetooth Low Energy is implemented on devices by manufacturers can allow global device tracking for the Windows 10, iOS and macOS devices that incorporate it. An academic team at BU uncovered the flaws, which exist in the periodically changing, randomized device addressing mechanism that many new Bluetooth Low Energy devices incorporate to prevent passive tracking. The paper was presented on July 17th at the 19th Privacy Enhancing Technologies Symposium.
Bluetooth devices announce themselves as available to other devices in publicly available clear channels, called advertising channels, to make pairing with other devices easy. In early versions of the Bluetooth specification, the permanent Bluetooth MAC addresses of devices were regularly broadcast in these clear advertising channels, leading to privacy concerns stemming from the potential for device tracking. BLE was created to solve that by allowing device manufacturers to use temporary random addresses in over-the-air communication instead of a device's permanent address. But many BLE devices also use dynamic identifying tokens, which are unique to a device and remain static long enough to be used as secondary identifiers to the random addresses. The researchers were able to successfully track devices because these identifying tokens and the random addresses do not change in sync on some devices. One identifying token can be linked with a current address as well as the next random address assigned to the device. By identifying the token, this creates a kind of bridge between randomized addresses that can be followed by a hacker.
Researchers used a packet sniffer to analyze the traffic coming across the advertising channels using an address-carryover algorithm. The address-carryover algorithm exploits the asynchronous nature of address and payload change, and uses unchanged identifying tokens in the payload to trace a new incoming random address back to a known device. This algorithm is online and can continuously observes changes in the address as well as any other relevant identifying tokens found. The algorithm listens to incoming addresses and tokens as they are broadcast on one of the BLE advertising channels. After extracting tokens for a certain device, if the advertising address changes, a match is attempted using any of the available captured identifying tokens. In case of a successful match, the identity of the device can be updated with the incoming address, so that the device was successfully tracked across addresses.
The algorithm succeeds consistently on Windows 10 and sometimes on Apple operating systems. In both cases, the identifying tokens change out of sync with the advertising address. In the Windows 10 case, there is no evidence of any synchronization by design. In the Apple case, there exist mechanisms to synchronize updates of identifying tokens with address randomization, but they occasionally fail. While the research work focused on Windows 10 and Apple devices, any device is vulnerable to the carry-over algorithm if it does not change all of its identifying tokens in sync with the advertising address.
Bluetooth is projected to grow to over 5 billion devices by 2022, with over half a billion amongst them wearables and other data-focused connected devices. While the average BLE range is around 10 to 20 meters, a hacker could extend his reach via a botnet. Local BLE tracking methods may be enhanced by coordinating them in a botnet of adversaries, resulting in potentially global tracking capabilities. This is compounded by the availability of BLE-based botnets and complementary threats such as large scale tracking of users via infected routers, which increase tracking capability to a global scale. Additional metadata, such as electronic purchase transactions, facial recognition and other digital traces could be combined with Bluetooth tracking to generate a fine grained location profile of a victim.
The BU team disclosed the issues to Microsoft and Apple in November. So far, no patches have appeared, but feasible workarounds exist. Windows 10 users can occasionally disable a Bluetooth device through the Windows Device Manager and re-enable it again, which will reset both the advertising address and the token, thereby breaking the chain. For Apple devices, switching Bluetooth off and on in the System Settings or in the Menu Bar on macOS, will randomize the address and change the payload. Android devices aren't affected.