Handoff All Your Privacy – A Review of Apple’s Bluetooth Low Energy Continuity Protocol

Open access

Abstract

We investigate Apple’s Bluetooth Low Energy (BLE) Continuity protocol, designed to support interoperability and communication between iOS and macOS devices, and show that the price for this seamless experience is leakage of identifying information and behavioral data to passive adversaries. First, we reverse engineer numerous Continuity protocol message types and identify data fields that are transmitted unencrypted. We show that Continuity messages are broadcast over BLE in response to actions such as locking and unlocking a device’s screen, copying and pasting information, making and accepting phone calls, and tapping the screen while it is unlocked. Laboratory experiments reveal a significant flaw in the most recent versions of macOS that defeats BLE Media Access Control (MAC) address randomization entirely by causing the public MAC address to be broadcast. We demonstrate that the format and content of Continuity messages can be used to fingerprint the type and Operating System (OS) version of a device, as well as behaviorally profile users. Finally, we show that predictable sequence numbers in these frames can allow an adversary to track Apple devices across space and time, defeating existing anti-tracking techniques such as MAC address randomization.

[1] Apple Continuity Requirements. https://support.apple.com/en-us/HT204689, . Accessed: 2019-02-24.

[2] Apple Continuity Support. https://support.apple.com/enus/HT204681, . Accessed: 2019-02-24.

[3] Use Bluetooth and Wi-Fi in Control Center with iOS 11 and Later. https://support.apple.com/en-us/HT208086, . Accessed: 2019-02-24.

[4] Bluetooth Core Specification. https://www.bluetooth.com/specifications/bluetooth-core-specification. Accessed: 2019-02-11.

[5] Fingerbank. https://fingerbank.org. Accessed: 2019-06-04.

[7] GATT Specifications. https://www.bluetooth.com/specifications/gatt, . Accessed: 2019-02-21.

[8] Handoff Apps. https://support.apple.com/en-us/HT209455. Accessed: 2019-02-24.

[9] App store stats. https://developer.apple.com/support/app-store/. Accessed: 2019-02-24.

[10] The iPhone Wiki: Models. https://www.theiphonewiki.com/wiki/Models. Accessed: 2019-02-21.

[11] Apple macOS Continuity. https://www.apple.com/macos/continuity/. Accessed: 2019-02-24.

[12] Apple: Identify Your MacBook Pro Model. https://support.apple.com/en-us/HT201300. Accessed: 2019-02-21.

[13] Mixpanel Device Statistics. https://mixpanel.com/trends/report/iphone_models. Accessed: 2019-02-27.

[14] Things You Should Know About Bluetooth Range. https://blog.nordicsemi.com/getconnected/things-you-should-know-about-bluetooth-range. Accessed: 2019-02-28.

[15] Bluetooth company identifier list. https://www.bluetooth.com/specifications/assigned-numbers/company-identifiers. Accessed: 2019-02-24.

[16] tile. https://www.thetileapp.com/en-us/. Accessed: 2019-02-18.

[17] Ubertooth One. https://github.com/greatscottgadgets/ubertooth/wiki/Ubertooth-One, . Accessed: 2019-05-01.

[19] Ubertooth 2018-12-R1 Release Notes. https://github.com/greatscottgadgets/libbtbb/releases/tag/2018-12-R1, . Accessed: 2019-05-01.

[20] N. Abedi, A. Bhaskar, and E. Chung. Bluetooth and Wi-Fi MAC Address Based Crowd Data Collection and Monitoring: Benefits, Challenges and Enhancement. 2013.

[21] M. V. Barbera, A. Epasto, A. Mei, V. C. Perta, and J. Stefa. Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes. In Proceedings of the 2013 conference on Internet measurement conference, pages 265–276. ACM, 2013.

[22] J. K. Becker, D. Li, and D. Starobinski. Tracking Anonymized Bluetooth Devices. Proceedings on Privacy Enhancing Technologies, 1:17.

[23] R. Beverly. A Robust Classifier for Passive TCP/IP Fingerprinting. In International Workshop on Passive and Active Network Measurement, pages 158–167. Springer, 2004.

[24] B. Bonné, A. Barzan, P. Quax, and W. Lamotte. WiFiPi: Involuntary Tracking of Visitors at Mass Events. In World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2013 IEEE 14th International Symposium and Workshops on a, pages 1–6. IEEE, 2013.

[25] J. Caballero, S. Venkataraman, P. Poosankam, M. G. Kang, D. Song, and A. Blum. FiG: Automatic Fingerprint Generation. 2007.

[26] J. Cache. Fingerprinting 802.11 Implementations via Statistical Analysis of the Duration Field. Uninformed. org, 5, 2006.

[27] J. Cache, V. Liu, and J. Wright. Hacking exposed wireless: wireless security secrets & solutions. Number Sirsi) i9780072262582. McGraw-Hill, 2007.

[28] Y.-C. Chen, Y. Liao, M. Baldi, S.-J. Lee, and L. Qiu. OS Fingerprinting and Tethering Detection in Mobile Networks. In Proceedings of the 2014 Conference on Internet Measurement Conference, pages 173–180. ACM, 2014.

[29] M. Cristea and B. Groza. Fingerprinting smartphones remotely via ICMP timestamps. IEEE Communications Letters, 17(6):1081–1083, 2013.

[30] M. Cunche. I Know Your MAC Address: Targeted Tracking of Individual Using Wi-Fi. Journal of Computer Virology and Hacking Techniques, 2014.

[31] M. Cunche, M. A. Kaafar, and R. Boreli. I Know Who You Will Meet This Evening! Linking Wireless Devices Using Wi-Fi Probe Requests. In 2012 IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM), pages 1–9. IEEE, 2012.

[32] A. K. Das, P. H. Pathak, C.-N. Chuah, and P. Mohapatra. Uncovering Privacy Leakage in BLE Network Traffic of Wearable Fitness Trackers. In Proceedings of the 17th International Workshop on Mobile Computing Systems and Applications, pages 99–104. ACM, 2016.

[33] L. C. C. Desmond, C. C. Yuan, T. C. Pheng, and R. S. Lee. Identifying Unique Devices Through Wireless Fingerprinting. In Proceedings of the first ACM conference on Wireless network security, pages 46–55, 2008.

[34] J. P. Ellch. Fingerprinting 802.11 Devices. Technical report, Naval Postgraduate School, Monterey, CA, 2006.

[35] K. Fawaz, K.-H. Kim, and K. G. Shin. Protecting Privacy of BLE Device Users. In 25th USENIX Security Symposium USENIX Security 16), pages 1205–1221, 2016.

[36] J. Franklin, D. McCoy, P. Tabriz, V. Neagoe, J. V. Randwyk, and D. Sicker. Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting. In USENIX Security Symposium, volume 3, pages 16–89, 2006.

[37] D. Gentry and A. Pennarun. Passive Taxonomy of WiFi Clients Using MLME Frame Contents. arXiv preprint arXiv:1608.01725, 2016.

[38] M. Haase, M. Handy, et al. BlueTrack–Imperceptible Tracking of Bluetooth Devices. In Ubicomp Poster Proceedings, 2004.

[39] D. Holger. How ’Free’ Wi-Fi Hotspots Can Track Your Location Even When You Aren’t Connected, Nov 2018. URL https://www.pcworld.com/article/3315197/privacy/free-wifi-hotspots-can-track-your-location-even-when-you-arent-connected.html.

[40] B. Hong, S. Bae, and Y. Kim. GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier. In Symposium on Network and Distributed System Security (NDSS). ISOC, 2018.

[41] T. Kohno, A. Broido, and K. C. Claffy. Remote Physical Device Fingerprinting. IEEE Transactions on Dependable and Secure Computing, 2(2):93–108, 2005.

[42] A. Korolova and V. Sharma. Cross-App Tracking via Nearby Bluetooth Low Energy Devices. In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, pages 43–52. ACM, 2018.

[43] T. Liebig and A. U. K. Wagoum. Modelling Microscopic Pedestrian Mobility using Bluetooth. In ICAART (2), pages 270–275, 2012.

[44] G. F. Lyon. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure, 2009.

[45] J. Martin, D. Rhame, R. Beverly, and J. McEachen. Correlating GSM and 802.11 Hardware Identifiers. In IEEE Military Communications Conference, 2013.

[46] J. Martin, E. Rye, and R. Beverly. Decomposition of MAC Address Structure for Granular Device Inference. In Proceedings of the 32nd Annual Conference on Computer Security Applications, pages 78–88. ACM, 2016.

[47] J. Martin, T. Mayberry, C. Donahue, L. Foppe, L. Brown, C. Riggins, E. C. Rye, and D. Brown. A Study of MAC Address Randomization in Mobile Devices and When it Fails. Proceedings on Privacy Enhancing Technologies, pages 365–383, 2017.

[48] C. Matte. Wi-Fi Tracking: Fingerprinting Attacks and Counter-Measures. PhD thesis, Université de Lyon, 2017.

[49] S. F. Mjølsnes and R. F. Olimid. Easy 4G/LTE IMSI catchers for Non-Programmers. In International Conference on Mathematical Methods, Models, and Architectures for Computer Network Security, pages 235–246. Springer, 2017.

[50] A. Musa and J. Eriksson. Tracking Unmodified Smartphones using Wi-Fi Monitors. In Proceedings of the 10th ACM conference on embedded network sensor systems, pages 281–294. ACM, 2012.

[51] C. Neumann, O. Heen, and S. Onno. An Empirical Study of Passive 802.11 Device Fingerprinting. In 2012 32nd International Conference on Distributed Computing Systems Workshops, pages 593–602. IEEE, 2012.

[52] Openspecs-Windows. [ms-cdp]: Connected devices platform protocol version 3. URL https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cdp.

[53] P. O’Hanlon, R. Borgaonkar, and L. Hirschi. Mobile Subscriber WiFi Privacy. In Security and Privacy Workshops (SPW), 2017 IEEE, pages 169–178. IEEE, 2017.

[54] C. Paget. Practical Cellphone Spying. Def Con, 18, 2010.

[55] R. Rajavelsamy, D. Das, and M. Choudhary. Privacy protection and mitigation of unauthorized tracking in 3GPP-WiFi interworking networks. In Wireless Communications and Networking Conference (WCNC), 2018 IEEE, pages 1–6. IEEE, 2018.

[56] D. W. Richardson, S. D. Gribble, and T. Kohno. The Limits of Automatic OS Fingerprint Generation. In Proceedings of the 3rd ACM workshop on Artificial intelligence and security, pages 24–34. ACM, 2010.

[57] E. C. Rye and R. Beverly. Sundials in the Shade: An Internet-Wide Perspective on ICMP Timestamps. In International Conference on Passive and Active Network Measurement, pages 82–98. Springer, 2019.

[58] P. Sapiezynski, A. Stopczynski, R. Gatej, and S. Lehmann. Tracking Human Mobility using wifi Signals. PloS one, 10(7):e0130824, 2015.

[59] Z. Shamsi, A. Nandwani, D. Leonard, and D. Loguinov. Hershel: Single-packet OS Fingerprinting. In ACM SIGMETRICS Performance Evaluation Review, volume 42, pages 195–206. ACM, 2014.

[60] A. Soltani. Privacy Trade-Offs in Retail Tracking. Tech@ FTC. URL https://wwwi.ftc.gov/news-events/blogs/techftc/2015/04/privacy-trade-offs-retai, 2015.

[61] D. Strobel. IMSI catcher. Chair for Communication Security, Ruhr-Universität Bochum, 14, 2007.

[62] M. Stute, S. Narain, A. Mariotto, A. Heinrich, D. Kreitschmann, G. Noubir, and M. Hollick. A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link. In USENIX Annual Technical Conference, 2019.

[63] F. Van Den Broek, R. Verdult, and J. de Ruiter. Defeating IMSI Catchers. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, pages 340–351. ACM, 2015.

[64] M. Vanhoef, C. Matte, M. Cunche, L. S. Cardoso, and F. Piessens. Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pages 413–424. ACM, 2016.

[65] M. Versichele, T. Neutens, M. Delafontaine, and N. Van de Weghe. The Use of Bluetooth for Analysing Spatiotemporal Dynamics of Human Movement at Mass Events: A Case Study of the Ghent Festivities. Applied Geography, 32(2): 208–220, 2012.

[66] Q. Xu, R. Zheng, W. Saad, and Z. Han. Device Fingerprinting in Wireless Networks: Challenges and Opportunities. IEEE Communications Surveys & Tutorials, 18(1):94–104, 2015.

Journal Information

Metrics

All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 47 47 47
PDF Downloads 31 31 31