Tracking Anonymized Bluetooth Devices

Johannes K Becker 1 , David Li 2 , and David Starobinski 3
  • 1 Boston University,
  • 2 Boston University,
  • 3 Boston University,


Bluetooth Low Energy (BLE) devices use public (non-encrypted) advertising channels to announce their presence to other devices. To prevent tracking on these public channels, devices may use a periodically changing, randomized address instead of their permanent Media Access Control (MAC) address. In this work we show that many state-of-the-art devices which are implementing such anonymization measures are vulnerable to passive tracking that extends well beyond their address randomization cycles. We show that it is possible to extract identifying tokens from the pay-load of advertising messages for tracking purposes. We present an address-carryover algorithm which exploits the asynchronous nature of payload and address changes to achieve tracking beyond the address randomization of a device. We furthermore identify an identity-exposing attack via a device accessory that allows permanent, non-continuous tracking, as well as an iOS side-channel which allows insights into user activity. Finally, we provide countermeasures against the presented algorithm and other privacy flaws in BLE advertising.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Apple Inc. iBeacon, 2014.

  • [2] Gianmarco Baldini, Raimondo Giuliani, Gary Steri, and Ricardo Neisse. Physical Layer Authentication of Internet of Things Wireless Devices Through Permutation and Dispersion Entropy. In 2017 Global Internet of Things Summit (GIoTS), pages 1–6. IEEE, 6 2017.

  • [3] Bluetooth Special Interest Group (SIG). Company Identifiers.

  • [4] Bluetooth Special Interest Group (SIG). Generic Access Profile.

  • [5] Bluetooth Special Interest Group (SIG). Service Discovery.

  • [6] Bluetooth Special Interest Group (SIG). Bluetooth Core Specification. v4.0. Bluetooth Special Interest Group (SIG), 2010.

  • [7] Bluetooth Special Interest Group (SIG). Supplement to the Bluetooth Core Specification. Bluetooth Special Interest Group (SIG), 2015.

  • [8] Bluetooth Special Interest Group (SIG). Bluetooth Core Specification. v5.0. Bluetooth Special Interest Group (SIG), 2016.

  • [9] Bluetooth Special Interest Group (SIG). Bluetooth Market Update 2018. Technical report, Bluetooth Special Interest Group (SIG), 2018.

  • [10] Bluetooth Special Interest Group (SIG). Core Specifications, 2018.

  • [11] Bluetooth Special Interest Group (SIG). Our History, 2018.

  • [12] Britt Cyr, Webb Horn, Daniela Miao, and Michael Specter. Security Analysis of Wearable Fitness Devices (Fitbit). Massachusetts Institute of Technology, pages 1–14, 2014.

  • [13] D.A. Dai Zovi and S.A. Macaulay. Attacking Automatic Wireless Network Selection. In Proceedings from the Sixth Annual IEEE Systems, Man and Cybernetics (SMC) Information Assurance Workshop, 2005., volume 2005, pages 365–372. IEEE, 2005.

  • [14] Dino A Dai Zovi. KARMA Attacks Radioed Machines Automatically, 2005.

  • [15] Boris Danev, Davide Zanetti, and Srdjan Capkun. On Physical-Layer Identification of Wireless Devices. ACM Computing Surveys, 45(1):1–29, 2012.

  • [16] Aveek K. Das, Parth H. Pathak, Chen-Nee Chuah, and Prasant Mohapatra. Uncovering Privacy Leakage in BLE Network Traffic of Wearable Fitness Trackers. In Proceedings of the 17th International Workshop on Mobile Computing Systems and Applications - HotMobile ’16, pages 99–104, New York, New York, USA, 2016. ACM Press.

  • [17] Byron C Drachman and Michael J Cloud. Inequalities: With Applications to Engineering. Springer-Verlag, 1998.

  • [18] Google. Eddystone.

  • [19] Google Developers. BluetoothLeAdvertiser.

  • [20] Robin Heydon. An Introduction to Bluetooth Low Energy, 2013.

  • [21] IEEE Computer Society. IEEE Standard for Local and Metropolitan Area Networks - Link Aggregation. IEEE Standards Association, 2008.

  • [22] Taher Issoufaly and Pierre Ugo Tournoux. BLEB: Bluetooth Low Energy Botnet for large scale individual tracking. 2017 1st International Conference on Next Generation Computing Applications, NextComp 2017, pages 115–120, 2017.

  • [23] Markus Jakobsson and Susanne Wetzel. Security Weaknesses in Bluetooth. In David Naccache, editor, Topics in Cryptology — CT-RSA 2001, pages 176–191, Berlin, Heidelberg, 2001. Springer.

  • [24] Mohamed Imran Jameel and Jeffrey Dungen. Low-Power Wireless Advertising Software Library for Distributed M2M and Contextual IoT. In 2015 IEEE 2nd World Forum on Internet of Things (WF-IoT), pages 597–602. IEEE, 12 2015.

  • [25] Xianjun Jiao. BTLE, 2014.

  • [26] Heikki Karvonen, Carlos Pomalaza-Ráez, Konstantin Mikhaylov, Matti Hämäläinen, and Jari Iinatti. Experimental Performance Evaluation of BLE 4 Versus BLE 5 in Indoors and Outdoors Scenarios. In Giancarlo Fortino and Zhelong Wang, editors, Advances in Body Area Networks I, pages 235–251. Springer, Cham, 2019.

  • [27] Jeremy Martin, Travis Mayberry, Collin Donahue, Lucas Foppe, Lamont Brown, Chadwick Riggins, Erik C. Rye, and Dane Brown. A Study of MAC Address Randomization in Mobile Devices and When it Fails. Proceedings on Privacy Enhancing Technologies, 2017(4):365–383, 10 2017.

  • [28] Radius Networks. AltBeacon, 2015.

  • [29] reelyActive. reelyActive-git.

  • [30] reelyActive. Sniffypedia, 2018.

  • [31] Pierre Rouveyrol, Patrice Raveneau, and Mathieu Cunche. Large Scale Wi-Fi Tracking Using a Botnet of Wireless Routers. Workshop on Surveillance & Technology, 2015.

  • [32] Krishna Sampigethaya, Leping Huang, Mingyan Li, Radha Poovendran, Kanta Matsuura, and Kaoru Sezaki. CARAVAN: Providing Location Privacy for VANET. Technical report, Washington Univ Seattle Dept of Electrical Engineering, 2005.

  • [33] Dominic Spill and Andrea Bittau. BlueSniff: Eve meets Alice and Bluetooth. WOOT ’07 Proceedings of the first USENIX workshop on Offensive Technologies, page 10, 2007.

  • [34] Mathy Vanhoef, Célestin Matte, Mathieu Cunche, Leonardo S. Cardoso, and Frank Piessens. Why MAC Address Randomization is not Enough. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security - ASIA CCS ’16, pages 413–424, New York, New York, USA, 2016. ACM Press.

  • [35] virtualabs. probeZero, 2016.

  • [36] Tien Dang Vo-Huu, Triet Dang Vo-Huu, and Guevara Noubir. Fingerprinting Wi-Fi Devices Using Software Defined Radios. In Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks - WiSec ’16, pages 3–14, New York, New York, USA, 2016. ACM Press.

  • [37] Isabel Wagner and David Eckhoff. Technical Privacy Metrics. ACM Computing Surveys, 51(3):1–38, 2018.

  • [38] Martin Woolley. Bluetooth Technology Protecting Your Privacy, 2015.

  • [39] Qiang Xu, Rong Zheng, Walid Saad, and Zhu Han. Device Fingerprinting in Wireless Networks: Challenges and Opportunities. IEEE Communications Surveys & Tutorials, 18(1):94–104, 2016.


Journal + Issues