Over the past few years, mobile devices have become more and more talkative about the Bluetooth Low Energy (BLE) protocol and this is proving to be a pretty significant privacy risk.
Seven boffins from the University of California at San Diego – Hadi Givehchian, Nishant Bhaskar, Eliana Rodriguez Herrera, Héctor Rodrigo López Soto, Christian Dameff, Dinesh Bharadia and Aaron Schulman – tested BLE implementations on several popular phones, PCs and gadgets, and have found they can be tracked through their physical signaling characteristics, albeit with intermittent success.
This means that devices can issue a single fingerprint, which means that it is possible to look for those fingerprints in multiple places to determine where those devices have been and when. It could be used to track people; you will have to use your imagination to determine who would exploit or could usefully exploit it. That said, at least two members of the team believe it is worthwhile for product makers to tackle this privacy weakness.
Academics describe their findings in an article [PDF], “Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices”, which is expected to be presented at the IEEE Security and Privacy Symposium in 2022.
BLE message transmissions have become more common in phones, laptops, watches, etc. thanks to operating system support for services like Apple’s. Continuity protocol, to move work between devices, and Find my, to locate lost devices. More recently, the US-based researchers explain, COVID-19 tracking software has used mobile devices as BLE beacons, broadcasting signals in the service of public health.
Applications using BLE typically try to conceal credentials by performing operations such as re-encrypting the transmitting device’s MAC address, they explain. But this type of MAC address randomization cannot mask built-in hardware characteristics that can be used to uniquely identify the sending machine.
The boffins reviewed a handful of popular mobile devices – iPhone 10 (iOS), Thinkpad X1 Carbon (Windows), MacBook Pro 2016 (macOS), Apple Watch 4 (watchOS), Google Pixel 5 (Android), and Bose QuietComfort 35 headphones. wireless – and discovered that they could often successfully fingerprint the physical BLE chip layer.
In other words, they measured changes in the radio frequency characteristics of BLE transmissions in a way that allowed them to distinguish BLE devices from one another, making the identified devices theoretically traceable.
The UC San Diego Group claims that no one has previously assessed how practical a fingerprint attack on BLE could be in the real world, and that no one has ever offered a BLE fingerprint tool that can measure fingerprints. physical layer imperfections exposed by the transmissions of these systems. .
The BLE chipsets in the sample devices share a common architectural model: they include Wi-Fi circuitry, to reduce power consumption and save space. Therefore, the BLE and Wi-Fi of these devices rely on the same 2.4 GHz phase / quadrature (I / Q) receiver interface.
“A consequence of this choice of hardware design is that BLE transmissions contain the same hardware imperfections as Wi-Fi,” the academics explain in their article.
“The imperfections are introduced by the shared I / Q interface of the chipset. They translate into two measurable metrics in BLE and WiFi transmissions: carrier frequency offset (CFO) and I / Q imperfections, in particular: offset I / Q and I / Q unbalance. “
Since previous research has shown that these metrics can only fingerprint WiFi devices, boffins have attempted to show that the same could be done for the now ubiquitous BLE signals.
They encountered a number of challenges which made identification more difficult. First, distinguishing between devices with the same chipset, like Apple’s iPhone, is more difficult than distinguishing between devices with different chipsets. Second, changes in the device’s temperature complicate matters, potentially requiring re-evaluation so that an inactive device can be linked to a device running an app.
And third, devices transmit with different power levels, which affects the range at which they can be detected – iPhones obviously broadcast their COVID tags at a higher power level than Android devices.
Other potential issues, like the difference between using an expensive software-defined radio for signal scanning and an inexpensive amateur model, turned out to be something that could be compensated for by calibration.
Tests in real conditions
The group collected two sets of BLE beacon data. The first came from looking for signals at six cafes, a college library, and a food court, each for about an hour. They gathered bundles of 162 devices during that time and found that around 40% were uniquely identifiable.
The second set of data came from setting up a software-defined radio out of a room where it was exposed to hundreds of devices daily. The researchers recorded the COVID-19 exposure notification BLE beacons from Apple and Google transmitted by the bypassers’ devices for 10-hour periods on two separate days, one week apart.
They saw 647 unique MAC addresses over the two 20 hours of data collection and were able to uniquely identify 47.1% of those; 15 percent had overlapping imperfections with just one other device.
The boffins also attempted an experiment in which they tracked 17 different targets as they moved. The average false negative rate was 3.21%, while the average false positive rate was 3.5%, meaning their system identified a device that was mostly accurate.
In an email to The registerUC San Diego doctoral students Hadi Givehchian and Nishant Bhaskar, both lead authors of the article, said they expect Apple’s AirTag and Samsung SmartTag Plus to be traceable using the same technique.
“The BLE chipsets in location beacons are likely to have the same manufacturing variations that we’ve seen in other BLE-only wireless devices we’ve tested,” they said.
Two possible defenses are suggested in the article: adding an additional random time varying frequency offset to the crystal oscillator, which BLE can apparently handle, to make signal measurements less predictable; and running a background process that constantly changes the calculation as the MAC address is randomized, which would speed up battery drain.
Disabling devices should limit tracking, but efforts to disable tracking may not work as expected.
“As far as we know, turning off a staff completely will prevent them from tagging,” Givehchian and Bhaskar said. However, we have found that simply disabling Bluetooth on some phones will not stop beacons. For example, on some Apple devices, disabling Bluetooth in Control Center (the menu accessed by swiping down from the top of the screen) may not prevent it from markup. “
Ultimately, the researchers conclude that tracking people through BLE can be done and that some people are more vulnerable than others, depending on the conditions and the banality or uniqueness of the targeted device.
“Based on our results, we believe this attack is feasible and practical, so device vendors should consider mitigation measures,” Givehchian and Bhaskar said. “Many devices in use today have unique fingerprints and the hardware for the attack costs less than $ 200.
“However, we also observed that the attack is not guaranteed to be successful in all situations, the target [device] may be misidentified in a large crowd, and its fingerprint will change as the device heats up or cools down. “®