Leaky Bluetooth smartphones & wearables can be tracked from 100m away

Researchers at Context Information Security have discovered that smartphones, tablets, iBeacons, fitness trackers and other wearable devices using embedded Bluetooth Low Energy (BLE) could potentially be tracked from 100m away.

Leaky Bluetooth smartphones & wearables can be tracked from 100m away
Leaky Bluetooth smartphones & wearables can be tracked from 100m away

In a presentation at Context's OASIS conference in South Bank, London yesterday, senior researcher Scott Lester talked through how the firm was able, via its own Android app, to monitor and record Bluetooth Low Energy (BLE) signals transmitted by most mobile phones, wearables and even beacons, the new transmitters which are being developed by Apple and Google and used by retail stores and other brands for targeted advertising.

“This is a new technology, many of the apps are relatively new, and they enable devices to work pretty differently…but they are broadcasting information almost constantly,” said Lester during the presentation.

He said that BLE has been around since 2010 and has seen increasing adoption even since then thanks to its low-energy usage (these devices can use coin cell batteries that last up to one to two years) and lower-size packets, which enable these devices to easily transmit information to and from ‘paired' smartphones.

BLE, developed by Bluetooth Special Interest Group, has found itself on a variety of smartphones – including those made by Apple (where the standard is supported by iOS 5 and up), Microsoft (Windows Phone 8.0 and above), Google (Android 4.3 and up) and BlackBerry (BlackBerry 10 and up). An increasing number of apps implement BLE for smarter, more customised notifications.

However, as Lester detailed, BLE is not without problems, especially when it comes to privacy. A number of BLE devices continue to have weak or no authentication and media access control (MAC) addresses that don't change – which can be used for tracking.

“My own fitness tracker has had the same MAC address since we started the investigation, even though it's completely run out of battery once,” said Lester. “Sometimes the transmitted packets also contain the device name, which may be unique, such as the ‘Garmin Vivosmart #12345678', or even give the name of the user, such as ‘Scott's Watch'.”

“Many people wearing fitness devices don't realise that they are broadcasting constantly and that these broadcasts can often be attributed to a unique device,” he continued. “Using cheap hardware or a smartphone, it could be possible to identify and locate a particular device – that may belong to a celebrity, politician or senior business executive – within 100 metres in the open air. This information could be used for social engineering as part of a planned cyber-attack or for physical crime by knowing peoples' movements.”

Context tested out this theory itself, releasing its own Android app (called ‘Ramble' and now available on Google Play), to scan, detect and log wearable devices. One company exec managed to collect nearly 150 unique devices in a 30-minute lunchtime period in Canary Wharf, including FitBits, iPhones and Jawbones.

In more positive news, Lester said that the Bluetooth Consortium has more recently ‘backtracked' with BLE 4.2, which adds passcode, public key encryption (using the DHE key exchange, also in the news this week), IPv6 support and support for faster data rates. The packet length has also  been decreased.

“Many BLE devices simply can't support authentication and many of the products we have looked at don't implement encryption, as this would significantly reduce battery life and increase the complexity of the application,” said Lester.

Nonetheless, the potential for tracking here is more than just smartphone or fitness trackers, but also newer emerging technologies leveraging BLE. For example, the number of passenger cars with tech is expected to grow to 50 million next year, while iBeacons – used to transmit BLE packets to identify locations – are already being used at Apple and House of Fraser stores to tailor notifications, as well as by BA and Virgin for welcoming flyers to premium lounge. Lester said there are similarities with BLE with the proprietary ANT+ protocol, Google Physical Web is a protocol for transmitting website addresses (URLs) over BLE.

“It doesn't take much imagination to think of a phone manufacturer providing handsets with an iBeacon application already installed, so your phone alerts you with sales notifications when you walk past certain shops,” said Lester, who says that the firm is also investigating AirDrop.

He summarised: “It is clear that BLE is a powerful technology, which is increasingly being put to a wide range of uses. While the ability to detect and track devices may not present a serious risk in itself, it certainly has the potential to compromise privacy and could be part of a wider social engineering threat. It is also yet another demonstration of the lack of thought that goes into security when companies are in a rush to get new technology products to market.”

Speaking to SCMagazineUK.com earlier today, Lester reiterated that the main attack vector would  be social engineering attacks, leading to further cyber-activity, but guessed nation-state activity would be unlikely.

“If you can attribute a device to a person, which can be easy for some devices and settings, then detecting their presence and even tracking their movements is made possible by scanning for their BLE device. This could be used for any scenario where you need to detect people, such as social engineering.”

“It's hard to guess at the capabilities of nation states but the recent announcement [of China banning wearables for its army] shows that they are at least aware of the threats to their staff having wearable tech on them whilst on duty. If they're aware of the threats themselves, it's easy to assume that they are also looking to exploit those threats.”

Lester, who pointed to previous research of attacks when pairing mechanisms had been broken if encryption handshake intercepted, also urged wearable makers to ‘design security in from the start', adding that it was possible to do this with the capabilities under BLE standard.

And on wearable makers' maturity on security, he said: “There really is a wide spread. Much like the IoT industry, the industry for wearable technology is fast-moving and is based on some novel technologies. Some vendors are not considering the security at all, and others are left to add it on as an afterthought. That said, some vendors do seem to be very considerate of the privacy and security implications of their devices, which is encouraging given the above, and the amount and breadth of data that these devices contain.

Dominic Chell, director and CREST team leader at MDSec Consulting, added in an email to SC: “The use of BLE in smartphones and wearables certainly raises privacy concerns and where appropriate measures have not been taken, may allow a user to be unwittingly tracked based on advertising packets broadcast from their device.

“Although the Bluetooth Smart provides guidelines on how to avoid this, Context's research highlights that this is not always adopted. 

“Manufacturers of BLE devices should make use of the Bluetooth Smart LE Privacy feature, which causes the MAC address within advertising packets to be replaced by a random value that changes at a configurable time interval.

“If used correctly, this feature makes it difficult to uniquely identify a device over time and therefore unfeasible to track a user.”