Researchers from Boston University (BU) have discovered a way to circumvent anonymization protections on Bluetooth
Low Energy devices, allowing potentially malicious actors to passively track the movements of these devices and their users.
BLE devices rely on non-encrypted advertising messages to signal their availability to other devices to pair up. To prevent third-party actors from tracking devices via this process, some devices use randomized addresses that periodically change, explain BU researchers Johannes Becker, David Li and David Sarobinski, in their recently published paper, "Tracking Anonymized Bluetooth Devices."
However, the researchers found that malicious actors can extract what they refer to as unique "identifying tokens" from the payloads of their advertising messages. These tokens, which can be specifically traced back to their corresponding devices, also change periodically, but not in sync with the changing of the randomized addresses. Therein lies the vulnerability.
Indeed, the scholars developed what they call an "address-carryover" algorithm which, according to their paper, "exploits the asynchronous nature of payload and address changes to achieve tracking beyond the address randomization of a device." This algorithm don't not require any message decryption or breaking Bluetooth security to work effectively, the report notes.
The tracking vulnerability and corresponding exploit affects Bluetooth-enabled Windows 10, iOS and macOS devices, provided these devices are continuously observed by a would-be attacker. Android devices tested by the researchers are not susceptible to the algorithm.
Meanwhile, Fitbit wearable devices don't bother to change and randomize their device addresses, which make them even easier to track, the report stresses.
"What surprised me the most was discovering a vulnerability with the Fitbit activity trackers," said the researcher Li, as quoted by BU's research news website, The Brink. "Restarting the device or draining its battery did not change its access address. This was completely unexpected. If the Fitbit's access address never changes, then an adversary could potentially track a Fitbit owner."
Additionally, the researchers say that the Microsoft Surface Pen emits a Bluetooth advertising message that exposes the permanent, unchanging address of its corresponding Surface computer, thus allowing third-parties to track the tablet indefinitely.
The researchers also created an iOS side-channel attack that allows passive observers to gain insights into device activity patterns by observing "handoff payloads" that allow users to start an activity on one device and continue it on a second device.
Toward the end of their report, the researchers offer recommendations to fix the vulnerability. They also note that users can work around the problem by disabling the Bluetooth device (via Windows Device Manager, System Settings or the Menu Bar, depending on the device's operating system) and then enabling it again.
"Any device which regularly advertises data containing suitable advertising tokens will be vulnerable to the carry-over algorithm if it does not change all of its identifying tokens in sync with the advertising address," the report concludes. With the use of Bluetooth-enabled devices growing, "establishing tracking-resistant methods, especially on unencrypted communication channels, is of paramount importance."
"This privacy concern is compounded by the realistic feasibility of BLE-based botnets and complementary threats such as large-scale tracking of users via compromised Wi-Fi routers, which amplify trackability to a global scale," the report continues. "It can further be imagined that additional metadata such as electronic purchase transactions, facial recognition and other digital traces could be combined with Bluetooth tracking to generate a fine-grained location profile of a victim."
According to the report, the researchers responsibly disclosed the vulnerabilities they discovered to the affected device manufacturers. Initial communications date back to November 2018, they said.
SC Media has reached out to Microsoft, Apple and Fitbit for comment. Microsoft responded with the following statement: "Microsoft has a strong commitment to security and a demonstrated track record of investigating and proactively updating impacted devices as soon as possible. We addressed this issue in the Windows 10 May Update (1903) and customers who have Windows Updates enabled are protected."