Recently, researchers from Boston University published a paper called “Tracking Anonymized Bluetooth Devices.” The paper detailed a flaw in the ubiquitous Bluetooth communication protocol that could expose device users to tracking and even leak their IDs. As explained in the paper, many Bluetooth devices announce their presence by using their MAC addresses as the basis to generate a random number in order to prevent long-term tracking.
The team discovered a flaw in the system and identified tokens that exist alongside MAC addresses. The researchers created what they’re calling an address-carryover algorithm that is able to “exploit the asynchronous nature of payload and address changes to achieve tracking beyond the address randomization of a device. The algorithm does not require message decryption or breaking Bluetooth security in any way, as it is based entirely on public, unencrypted advertising traffic.”
At the center of this flaw is Bluetooth BLE, which stands for Low Energy Specification). Introduced in 2010, it really came to the fore with the release of Bluetooth 5. The research team discovered it when they began investigating BLE advertising channels and “advertising events” within standard Bluetooth proximities.
“Most computer and smartphone operating systems do implement address randomizations by default as a means to prevent long-term passive tracking, as permanent identifiers are not broadcasted. However, we identified that devices running Windows 10, iOS, or Mac OS regularly transmit advertising events containing custom data structures which are used to enable certain platform-specific interaction with other devices within the BLE range.”
Although this technique works on any Windows, iOS, and macOS system, Android devices are completely immune. That is because the Android OS doesn’t continually send out advertising messages, and instead takes the approach of scanning for advertising messages being transmitted nearby.
If all of that makes your head spin, consider this: The number of Bluetooth devices is projected to grow from 4.2 to 5.2 billion between 2019 and 2022. So this is a significant issue, deserving of attention.
