Reverse-engineering Apple’s Bluetooth LE Continuity Protocol

Abstract

Bluetooth LE supports a so-called advertising mode, in which devices broadcast information to nearby devices for various purposes. The protocol specification allows for manufacturer-specific protocols to piggy-back on top of it, allowing various use cases ranging from coronavirus exposure notification to location-aware store discount coupons. Apple uses this feature extensively with their closed-source “Continuity” protocol which enables seamless handoff of application state between a user’s iPhone and their (Apple) computer, ad-hoc file sharing via AirDrop, and more. In this talk I’ll be summarizing three papers which reverse-engineer the protocol and highlight the privacy implications of using a broadcast-based plaintext protocol such as Bluetooth LE advertising for such a protocol

Reference

• Becker, J. K., Li, D., & Starobinski, D. (2019). Tracking Anonymized Bluetooth Devices. Proceedings on Privacy Enhancing Technologies, 2019(3), 50–65. https://doi.org/10.2478/popets-2019-0036
• Martin, J., Alpuche, D., Bodeman, K., Brown, L., Fenske, E., Foppe, L., … Teplov, S. (2019). Handoff All Your Privacy – A Review of Apple’s Bluetooth Low Energy Continuity Protocol. Proceedings on Privacy Enhancing Technologies, 2019(4), 34–53. https://doi.org/10.2478/popets-2019-0057
• Celosia, G., & Cunche, M. (2020). Discontinued Privacy : Personal Data Leaks in Apple Bluetooth-Low-Energy Continuity Protocols. Proceedings on Privacy Enhancing Technologies, 2020(1), 26–46. https://doi.org/10.2478/popets-2020-0003