Handoff All Your Privacy – A Review of Apple’s Bluetooth Low Energy Continuity Protocol

Open access

Abstract

We investigate Apple’s Bluetooth Low Energy (BLE) Continuity protocol, designed to support interoperability and communication between iOS and macOS devices, and show that the price for this seamless experience is leakage of identifying information and behavioral data to passive adversaries. First, we reverse engineer numerous Continuity protocol message types and identify data fields that are transmitted unencrypted. We show that Continuity messages are broadcast over BLE in response to actions such as locking and unlocking a device’s screen, copying and pasting information, making and accepting phone calls, and tapping the screen while it is unlocked. Laboratory experiments reveal a significant flaw in the most recent versions of macOS that defeats BLE Media Access Control (MAC) address randomization entirely by causing the public MAC address to be broadcast. We demonstrate that the format and content of Continuity messages can be used to fingerprint the type and Operating System (OS) version of a device, as well as behaviorally profile users. Finally, we show that predictable sequence numbers in these frames can allow an adversary to track Apple devices across space and time, defeating existing anti-tracking techniques such as MAC address randomization.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Apple Continuity Requirements. https://support.apple.com/en-us/HT204689 . Accessed: 2019-02-24.

  • [2] Apple Continuity Support. https://support.apple.com/enus/HT204681 . Accessed: 2019-02-24.

  • [3] Use Bluetooth and Wi-Fi in Control Center with iOS 11 and Later. https://support.apple.com/en-us/HT208086 . Accessed: 2019-02-24.

  • [4] Bluetooth Core Specification. https://www.bluetooth.com/specifications/bluetooth-core-specification. Accessed: 2019-02-11.

  • [5] Fingerbank. https://fingerbank.org. Accessed: 2019-06-04.

  • [6] GATT Overview. https://www.bluetooth.com/specifications/gatt/generic-attributes-overview . Accessed: 2019-02-21.

  • [7] GATT Specifications. https://www.bluetooth.com/specifications/gatt . Accessed: 2019-02-21.

  • [8] Handoff Apps. https://support.apple.com/en-us/HT209455. Accessed: 2019-02-24.

  • [9] App store stats. https://developer.apple.com/support/app-store/. Accessed: 2019-02-24.

  • [10] The iPhone Wiki: Models. https://www.theiphonewiki.com/wiki/Models. Accessed: 2019-02-21.

  • [11] Apple macOS Continuity. https://www.apple.com/macos/continuity/. Accessed: 2019-02-24.

  • [12] Apple: Identify Your MacBook Pro Model. https://support.apple.com/en-us/HT201300. Accessed: 2019-02-21.

  • [13] Mixpanel Device Statistics. https://mixpanel.com/trends/report/iphone_models. Accessed: 2019-02-27.

  • [14] Things You Should Know About Bluetooth Range. https://blog.nordicsemi.com/getconnected/things-you-should-know-about-bluetooth-range. Accessed: 2019-02-28.

  • [15] Bluetooth company identifier list. https://www.bluetooth.com/specifications/assigned-numbers/company-identifiers. Accessed: 2019-02-24.

  • [16] tile. https://www.thetileapp.com/en-us/. Accessed: 2019-02-18.

  • [17] Ubertooth One. https://github.com/greatscottgadgets/ubertooth/wiki/Ubertooth-One . Accessed: 2019-05-01.

  • [18] ubertooth-btle. https://github.com/greatscottgadgets/ubertooth/blob/master/host/README.btle.md . Accessed: 2019-05-01.

  • [19] Ubertooth 2018-12-R1 Release Notes. https://github.com/greatscottgadgets/libbtbb/releases/tag/2018-12-R1 . Accessed: 2019-05-01.

  • [20] N. Abedi A. Bhaskar and E. Chung. Bluetooth and Wi-Fi MAC Address Based Crowd Data Collection and Monitoring: Benefits Challenges and Enhancement. 2013.

  • [21] M. V. Barbera A. Epasto A. Mei V. C. Perta and J. Stefa. Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes. In Proceedings of the 2013 conference on Internet measurement conference pages 265–276. ACM 2013.

  • [22] J. K. Becker D. Li and D. Starobinski. Tracking Anonymized Bluetooth Devices. Proceedings on Privacy Enhancing Technologies 1:17.

  • [23] R. Beverly. A Robust Classifier for Passive TCP/IP Fingerprinting. In International Workshop on Passive and Active Network Measurement pages 158–167. Springer 2004.

  • [24] B. Bonné A. Barzan P. Quax and W. Lamotte. WiFiPi: Involuntary Tracking of Visitors at Mass Events. In World of Wireless Mobile and Multimedia Networks (WoWMoM) 2013 IEEE 14th International Symposium and Workshops on a pages 1–6. IEEE 2013.

  • [25] J. Caballero S. Venkataraman P. Poosankam M. G. Kang D. Song and A. Blum. FiG: Automatic Fingerprint Generation. 2007.

  • [26] J. Cache. Fingerprinting 802.11 Implementations via Statistical Analysis of the Duration Field. Uninformed. org 5 2006.

  • [27] J. Cache V. Liu and J. Wright. Hacking exposed wireless: wireless security secrets & solutions. Number Sirsi) i9780072262582. McGraw-Hill 2007.

  • [28] Y.-C. Chen Y. Liao M. Baldi S.-J. Lee and L. Qiu. OS Fingerprinting and Tethering Detection in Mobile Networks. In Proceedings of the 2014 Conference on Internet Measurement Conference pages 173–180. ACM 2014.

  • [29] M. Cristea and B. Groza. Fingerprinting smartphones remotely via ICMP timestamps. IEEE Communications Letters 17(6):1081–1083 2013.

  • [30] M. Cunche. I Know Your MAC Address: Targeted Tracking of Individual Using Wi-Fi. Journal of Computer Virology and Hacking Techniques 2014.

  • [31] M. Cunche M. A. Kaafar and R. Boreli. I Know Who You Will Meet This Evening! Linking Wireless Devices Using Wi-Fi Probe Requests. In 2012 IEEE International Symposium on a World of Wireless Mobile and Multimedia Networks (WoWMoM) pages 1–9. IEEE 2012.

  • [32] A. K. Das P. H. Pathak C.-N. Chuah and P. Mohapatra. Uncovering Privacy Leakage in BLE Network Traffic of Wearable Fitness Trackers. In Proceedings of the 17th International Workshop on Mobile Computing Systems and Applications pages 99–104. ACM 2016.

  • [33] L. C. C. Desmond C. C. Yuan T. C. Pheng and R. S. Lee. Identifying Unique Devices Through Wireless Fingerprinting. In Proceedings of the first ACM conference on Wireless network security pages 46–55 2008.

  • [34] J. P. Ellch. Fingerprinting 802.11 Devices. Technical report Naval Postgraduate School Monterey CA 2006.

  • [35] K. Fawaz K.-H. Kim and K. G. Shin. Protecting Privacy of BLE Device Users. In 25th USENIX Security Symposium USENIX Security 16) pages 1205–1221 2016.

  • [36] J. Franklin D. McCoy P. Tabriz V. Neagoe J. V. Randwyk and D. Sicker. Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting. In USENIX Security Symposium volume 3 pages 16–89 2006.

  • [37] D. Gentry and A. Pennarun. Passive Taxonomy of WiFi Clients Using MLME Frame Contents. arXiv preprint arXiv:1608.01725 2016.

  • [38] M. Haase M. Handy et al. BlueTrack–Imperceptible Tracking of Bluetooth Devices. In Ubicomp Poster Proceedings 2004.

  • [39] D. Holger. How ’Free’ Wi-Fi Hotspots Can Track Your Location Even When You Aren’t Connected Nov 2018. URL https://www.pcworld.com/article/3315197/privacy/free-wifi-hotspots-can-track-your-location-even-when-you-arent-connected.html.

  • [40] B. Hong S. Bae and Y. Kim. GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier. In Symposium on Network and Distributed System Security (NDSS). ISOC 2018.

  • [41] T. Kohno A. Broido and K. C. Claffy. Remote Physical Device Fingerprinting. IEEE Transactions on Dependable and Secure Computing 2(2):93–108 2005.

  • [42] A. Korolova and V. Sharma. Cross-App Tracking via Nearby Bluetooth Low Energy Devices. In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy pages 43–52. ACM 2018.

  • [43] T. Liebig and A. U. K. Wagoum. Modelling Microscopic Pedestrian Mobility using Bluetooth. In ICAART (2) pages 270–275 2012.

  • [44] G. F. Lyon. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure 2009.

  • [45] J. Martin D. Rhame R. Beverly and J. McEachen. Correlating GSM and 802.11 Hardware Identifiers. In IEEE Military Communications Conference 2013.

  • [46] J. Martin E. Rye and R. Beverly. Decomposition of MAC Address Structure for Granular Device Inference. In Proceedings of the 32nd Annual Conference on Computer Security Applications pages 78–88. ACM 2016.

  • [47] J. Martin T. Mayberry C. Donahue L. Foppe L. Brown C. Riggins E. C. Rye and D. Brown. A Study of MAC Address Randomization in Mobile Devices and When it Fails. Proceedings on Privacy Enhancing Technologies pages 365–383 2017.

  • [48] C. Matte. Wi-Fi Tracking: Fingerprinting Attacks and Counter-Measures. PhD thesis Université de Lyon 2017.

  • [49] S. F. Mjølsnes and R. F. Olimid. Easy 4G/LTE IMSI catchers for Non-Programmers. In International Conference on Mathematical Methods Models and Architectures for Computer Network Security pages 235–246. Springer 2017.

  • [50] A. Musa and J. Eriksson. Tracking Unmodified Smartphones using Wi-Fi Monitors. In Proceedings of the 10th ACM conference on embedded network sensor systems pages 281–294. ACM 2012.

  • [51] C. Neumann O. Heen and S. Onno. An Empirical Study of Passive 802.11 Device Fingerprinting. In 2012 32nd International Conference on Distributed Computing Systems Workshops pages 593–602. IEEE 2012.

  • [52] Openspecs-Windows. [ms-cdp]: Connected devices platform protocol version 3. URL https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cdp.

  • [53] P. O’Hanlon R. Borgaonkar and L. Hirschi. Mobile Subscriber WiFi Privacy. In Security and Privacy Workshops (SPW) 2017 IEEE pages 169–178. IEEE 2017.

  • [54] C. Paget. Practical Cellphone Spying. Def Con 18 2010.

  • [55] R. Rajavelsamy D. Das and M. Choudhary. Privacy protection and mitigation of unauthorized tracking in 3GPP-WiFi interworking networks. In Wireless Communications and Networking Conference (WCNC) 2018 IEEE pages 1–6. IEEE 2018.

  • [56] D. W. Richardson S. D. Gribble and T. Kohno. The Limits of Automatic OS Fingerprint Generation. In Proceedings of the 3rd ACM workshop on Artificial intelligence and security pages 24–34. ACM 2010.

  • [57] E. C. Rye and R. Beverly. Sundials in the Shade: An Internet-Wide Perspective on ICMP Timestamps. In International Conference on Passive and Active Network Measurement pages 82–98. Springer 2019.

  • [58] P. Sapiezynski A. Stopczynski R. Gatej and S. Lehmann. Tracking Human Mobility using wifi Signals. PloS one 10(7):e0130824 2015.

  • [59] Z. Shamsi A. Nandwani D. Leonard and D. Loguinov. Hershel: Single-packet OS Fingerprinting. In ACM SIGMETRICS Performance Evaluation Review volume 42 pages 195–206. ACM 2014.

  • [60] A. Soltani. Privacy Trade-Offs in Retail Tracking. Tech@ FTC. URL https://wwwi.ftc.gov/news-events/blogs/techftc/2015/04/privacy-trade-offs-retai 2015.

  • [61] D. Strobel. IMSI catcher. Chair for Communication Security Ruhr-Universität Bochum 14 2007.

  • [62] M. Stute S. Narain A. Mariotto A. Heinrich D. Kreitschmann G. Noubir and M. Hollick. A Billion Open Interfaces for Eve and Mallory: MitM DoS and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link. In USENIX Annual Technical Conference 2019.

  • [63] F. Van Den Broek R. Verdult and J. de Ruiter. Defeating IMSI Catchers. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security pages 340–351. ACM 2015.

  • [64] M. Vanhoef C. Matte M. Cunche L. S. Cardoso and F. Piessens. Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security pages 413–424. ACM 2016.

  • [65] M. Versichele T. Neutens M. Delafontaine and N. Van de Weghe. The Use of Bluetooth for Analysing Spatiotemporal Dynamics of Human Movement at Mass Events: A Case Study of the Ghent Festivities. Applied Geography 32(2): 208–220 2012.

  • [66] Q. Xu R. Zheng W. Saad and Z. Han. Device Fingerprinting in Wireless Networks: Challenges and Opportunities. IEEE Communications Surveys & Tutorials 18(1):94–104 2015.

Search
Journal information
Cited By
Metrics
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 147 147 52
PDF Downloads 85 85 27