Bluetooth Protocol Flaw Leaks Data And Expose Devices To Trackers

The Bluetooth technology has become something crucial in the modern days of tech. And that is not because it has one severe flaw, as researchers discovered.

Researchers from Boston University (BU) found a vulnerability in the Bluetooth communication protocol - the Bluetooth Low Energy (BLE) - that allows attackers to passively track a device and leak identifiable data.

BLE was designed to provide reduced power consumption while maintaining a similar communication range. First integrated to the Bluetooth Core Specification in 2010, most manufacturers began incorporating BLE in their devices in 2012.

BLE once used public non-encrypted advertising channels to announce their presence to nearby devices. This protocol had privacy concerns because it broadcast permanent Bluetooth MAC (Media Access Control.

This was solved when BLE started letting device manufacturers use a periodically changing and randomize address instead.

However, this created another problem.

According to the research paper titled Tracking Anonymized Bluetooth Devices, Johannes K. Becker and David Starobinski detailed how the BLE vulnerability allows an attacker to extract identifying tokens, which include information like the device type or other identifiable data from a manufacturer.

Successfully exploiting this BLE's randomization mechanism would allow hackers to track a device.

The researchers also said that the “identifying tokens” present in Bluetooth's advertising messages are also unique to each device. And because the moment they remain static is long enough, they can also be used as secondary identifiers besides the MAC address.

"By observing typical advertising behaviors [...], we identified that parts of these data structures allow an adversary to abuse them as a temporary, secondary pseudo-identity. These identifying tokens can be integrated into an algorithm which allows device tracking beyond address randomization," the researchers said.

Bluetooth has an address-carryover algorithm. Exploiting the asynchronous address and payload change, by using the unchanged identifying tokens in the payload, hackers can trace a new incoming random address back to a known device.

This way, the goal of anonymity in broadcasting channels intended by the frequent address randomization feature is neutralized by the address-carryover algorithm.

The researchers' proposed workaround to break tracking via the address-carryover algorithm on Windows 10 and iOS/macOS devices
The researchers' proposed workaround to break tracking via the address-carryover algorithm on Windows 10 and iOS/macOS devices

It's the identifiable token that can be linked with the current address to the next random address that makes it easy for hackers to track a target.

As hackers listen to incoming addresses and tokens broadcast on the BLE advertising channels. After the tokens are extracted by either looking at the payload information or isolating a byte sequence that meets a predetermined list of requirements, the hackers can observe the algorithm constantly checking the incoming advertising address with the existing advertising address.

If they don’t match, the algorithm will attempt a match using any of the available captured identifying tokens as a “pseudo-identity”, and that before the algorithm terminates

And when matched, the identifying tokens are compared and updated with the incoming address, thus allowing the device to be tracked across addresses.

The researchers said that the vulnerability impacts Bluetooth devices running on Windows 10, iOS, and macOS, as well as Fitbit and Apple Watch smartwatches.

It doesn't effect Android devices because the operating system never sends out manufacturer specific data or other potentially device-identifying data in those advertising messages.

To protect devices from this address-carryover attacks, the researchers suggest that device implementations should synchronize payload changes with MAC address randomizations.

With Bluetooth device adoption growing at a massive scale, they caution that “establishing tracking-resistant methods, especially on unencrypted communication channels, is of paramount importance.”