Researchers from Boston University (BU) have discovered a way to circumvent anonymisation protections on Bluetooth Low Energy devices, allowing potentially malicious actors to passively track the movements of these devices and their users.
BLE devices rely on non-encrypted advertising messages to signal their availability to other devices to pair up. To prevent third-party actors from tracking devices via this process, some devices use randomised addresses that periodically change, explain BU researchers Johannes Becker, David Li and David Sarobinski, in their recently published paper, "Tracking Anonymised Bluetooth Devices."
However, the researchers found that malicious actors can extract what they refer to as unique "identifying tokens" from the payloads of their advertising messages. These tokens, which can be specifically traced back to their corresponding devices, also change periodically, but not in sync with the changing of the randomised addresses. Therein lies the vulnerability.
A JetBlue flight waiting for takeoff at Newark Airport, USA, was evacuated this week after members of the crew and some passengers received a photo of a suicide vest via Apple’s AirDrop.
Although the source of the photo is unknown, someone nearby – potentially a passenger, according to a report in the New York Daily News – would have had to share the disturbing picture through the Bluetooth technology.
"In the case of this JetBlue instance, there’s no real way to trace a Bluetooth MAC address to an individual or their device unless you were to confiscate all the devices from the passengers on the flight," said Richard Gold, head of security engineering at Digital Shadows. "Even then, it’s unlikely you’d be able to figure the originating MAC address without forensically examining the devices which received the pictures."
Indeed, the scholars developed what they call an "address-carryover" algorithm which, according to their paper, "exploits the asynchronous nature of payload and address changes to achieve tracking beyond the address randomisation of a device." This algorithm don’t not require any message decryption or breaking Bluetooth security to work effectively, the report notes.
The tracking vulnerability and corresponding exploit affects Bluetooth-enabled Windows 10, iOS and macOS devices, provided these devices are continuously observed by a would-be attacker. Android devices tested by the researchers are not susceptible to the algorithm.
Meanwhile, Fitbit wearable devices don’t bother to change and randomise their device addresses, which make them even easier to track, the report stresses.
"What surprised me the most was discovering a vulnerability with the Fitbit activity trackers," said the researcher Li, as quoted by BU’s research news website, The Brink. "Restarting the device or draining its battery did not change its access address. This was completely unexpected. If the Fitbit’s access address never changes, then an adversary could potentially track a Fitbit owner."
Additionally, the researchers say that the Microsoft Surface Pen emits a Bluetooth advertising message that exposes the permanent, unchanging address of its corresponding Surface computer, thus allowing third-parties to track the tablet indefinitely.
The researchers also created an iOS side-channel attack that allows passive observers to gain insights into device activity patterns by observing "handoff payloads" that allow users to start an activity on one device and continue it on a second device.
Toward the end of their report, the researchers offer recommendations to fix the vulnerability. They also note that users can work around the problem by disabling the Bluetooth device (via Windows Device Manager, System Settings or the Menu Bar, depending on the device’s operating system) and then enabling it again.
"Any device which regularly advertises data containing suitable advertising tokens will be vulnerable to the carry-over algorithm if it does not change all of its identifying tokens in sync with the advertising address," the report concludes. With the use of Bluetooth-enabled devices growing, "establishing tracking-resistant methods, especially on unencrypted communication channels, is of paramount importance."
"This privacy concern is compounded by the realistic feasibility of BLE-based botnets and complementary threats such as large-scale tracking of users via compromised Wi-Fi routers, which amplify trackability to a global scale," the report continues. "It can further be imagined that additional metadata such as electronic purchase transactions, facial recognition and other digital traces could be combined with Bluetooth tracking to generate a fine-grained location profile of a victim."
According to the report, the researchers responsibly disclosed the vulnerabilities they discovered to the affected device manufacturers. Initial communications date back to November 2018, they said. SC Media has reached out to Microsoft, Apple and Fitbit for comment.
This article was originally published on SC Media US.