Tracking Anonymized Bluetooth Devices

Open access

Abstract

Bluetooth Low Energy (BLE) devices use public (non-encrypted) advertising channels to announce their presence to other devices. To prevent tracking on these public channels, devices may use a periodically changing, randomized address instead of their permanent Media Access Control (MAC) address. In this work we show that many state-of-the-art devices which are implementing such anonymization measures are vulnerable to passive tracking that extends well beyond their address randomization cycles. We show that it is possible to extract identifying tokens from the pay-load of advertising messages for tracking purposes. We present an address-carryover algorithm which exploits the asynchronous nature of payload and address changes to achieve tracking beyond the address randomization of a device. We furthermore identify an identity-exposing attack via a device accessory that allows permanent, non-continuous tracking, as well as an iOS side-channel which allows insights into user activity. Finally, we provide countermeasures against the presented algorithm and other privacy flaws in BLE advertising.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Apple Inc. iBeacon 2014.

  • [2] Gianmarco Baldini Raimondo Giuliani Gary Steri and Ricardo Neisse. Physical Layer Authentication of Internet of Things Wireless Devices Through Permutation and Dispersion Entropy. In 2017 Global Internet of Things Summit (GIoTS) pages 1–6. IEEE 6 2017.

  • [3] Bluetooth Special Interest Group (SIG). Company Identifiers.

  • [4] Bluetooth Special Interest Group (SIG). Generic Access Profile.

  • [5] Bluetooth Special Interest Group (SIG). Service Discovery.

  • [6] Bluetooth Special Interest Group (SIG). Bluetooth Core Specification. v4.0. Bluetooth Special Interest Group (SIG) 2010.

  • [7] Bluetooth Special Interest Group (SIG). Supplement to the Bluetooth Core Specification. Bluetooth Special Interest Group (SIG) 2015.

  • [8] Bluetooth Special Interest Group (SIG). Bluetooth Core Specification. v5.0. Bluetooth Special Interest Group (SIG) 2016.

  • [9] Bluetooth Special Interest Group (SIG). Bluetooth Market Update 2018. Technical report Bluetooth Special Interest Group (SIG) 2018.

  • [10] Bluetooth Special Interest Group (SIG). Core Specifications 2018.

  • [11] Bluetooth Special Interest Group (SIG). Our History 2018.

  • [12] Britt Cyr Webb Horn Daniela Miao and Michael Specter. Security Analysis of Wearable Fitness Devices (Fitbit). Massachusetts Institute of Technology pages 1–14 2014.

  • [13] D.A. Dai Zovi and S.A. Macaulay. Attacking Automatic Wireless Network Selection. In Proceedings from the Sixth Annual IEEE Systems Man and Cybernetics (SMC) Information Assurance Workshop 2005. volume 2005 pages 365–372. IEEE 2005.

  • [14] Dino A Dai Zovi. KARMA Attacks Radioed Machines Automatically 2005.

  • [15] Boris Danev Davide Zanetti and Srdjan Capkun. On Physical-Layer Identification of Wireless Devices. ACM Computing Surveys 45(1):1–29 2012.

  • [16] Aveek K. Das Parth H. Pathak Chen-Nee Chuah and Prasant Mohapatra. Uncovering Privacy Leakage in BLE Network Traffic of Wearable Fitness Trackers. In Proceedings of the 17th International Workshop on Mobile Computing Systems and Applications - HotMobile ’16 pages 99–104 New York New York USA 2016. ACM Press.

  • [17] Byron C Drachman and Michael J Cloud. Inequalities: With Applications to Engineering. Springer-Verlag 1998.

  • [18] Google. Eddystone.

  • [19] Google Developers. BluetoothLeAdvertiser.

  • [20] Robin Heydon. An Introduction to Bluetooth Low Energy 2013.

  • [21] IEEE Computer Society. IEEE Standard for Local and Metropolitan Area Networks - Link Aggregation. IEEE Standards Association 2008.

  • [22] Taher Issoufaly and Pierre Ugo Tournoux. BLEB: Bluetooth Low Energy Botnet for large scale individual tracking. 2017 1st International Conference on Next Generation Computing Applications NextComp 2017 pages 115–120 2017.

  • [23] Markus Jakobsson and Susanne Wetzel. Security Weaknesses in Bluetooth. In David Naccache editor Topics in Cryptology — CT-RSA 2001 pages 176–191 Berlin Heidelberg 2001. Springer.

  • [24] Mohamed Imran Jameel and Jeffrey Dungen. Low-Power Wireless Advertising Software Library for Distributed M2M and Contextual IoT. In 2015 IEEE 2nd World Forum on Internet of Things (WF-IoT) pages 597–602. IEEE 12 2015.

  • [25] Xianjun Jiao. BTLE 2014.

  • [26] Heikki Karvonen Carlos Pomalaza-Ráez Konstantin Mikhaylov Matti Hämäläinen and Jari Iinatti. Experimental Performance Evaluation of BLE 4 Versus BLE 5 in Indoors and Outdoors Scenarios. In Giancarlo Fortino and Zhelong Wang editors Advances in Body Area Networks I pages 235–251. Springer Cham 2019.

  • [27] Jeremy Martin Travis Mayberry Collin Donahue Lucas Foppe Lamont Brown Chadwick Riggins Erik C. Rye and Dane Brown. A Study of MAC Address Randomization in Mobile Devices and When it Fails. Proceedings on Privacy Enhancing Technologies 2017(4):365–383 10 2017.

  • [28] Radius Networks. AltBeacon 2015.

  • [29] reelyActive. reelyActive-git.

  • [30] reelyActive. Sniffypedia 2018.

  • [31] Pierre Rouveyrol Patrice Raveneau and Mathieu Cunche. Large Scale Wi-Fi Tracking Using a Botnet of Wireless Routers. Workshop on Surveillance & Technology 2015.

  • [32] Krishna Sampigethaya Leping Huang Mingyan Li Radha Poovendran Kanta Matsuura and Kaoru Sezaki. CARAVAN: Providing Location Privacy for VANET. Technical report Washington Univ Seattle Dept of Electrical Engineering 2005.

  • [33] Dominic Spill and Andrea Bittau. BlueSniff: Eve meets Alice and Bluetooth. WOOT ’07 Proceedings of the first USENIX workshop on Offensive Technologies page 10 2007.

  • [34] Mathy Vanhoef Célestin Matte Mathieu Cunche Leonardo S. Cardoso and Frank Piessens. Why MAC Address Randomization is not Enough. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security - ASIA CCS ’16 pages 413–424 New York New York USA 2016. ACM Press.

  • [35] virtualabs. probeZero 2016.

  • [36] Tien Dang Vo-Huu Triet Dang Vo-Huu and Guevara Noubir. Fingerprinting Wi-Fi Devices Using Software Defined Radios. In Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks - WiSec ’16 pages 3–14 New York New York USA 2016. ACM Press.

  • [37] Isabel Wagner and David Eckhoff. Technical Privacy Metrics. ACM Computing Surveys 51(3):1–38 2018.

  • [38] Martin Woolley. Bluetooth Technology Protecting Your Privacy 2015.

  • [39] Qiang Xu Rong Zheng Walid Saad and Zhu Han. Device Fingerprinting in Wireless Networks: Challenges and Opportunities. IEEE Communications Surveys & Tutorials 18(1):94–104 2016.

Search
Journal information
Metrics
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 193 193 100
PDF Downloads 70 70 31