Tracking Anonymized Bluetooth Devices

Speaker/Bio

Johannes Becker is a PhD student with Professor David Starobinski. His current research focus is on Software Defined Radios and Wireless Security in the Internet of Things.

Abstract

Numerous mobile and wearable devices support communication using the Bluetooth Low Energy (BLE) protocol. BLE devices frequently broadcast on public (non-encrypted) advertising channels to announce their presence to other devices. To prevent tracking on these public channels, devices may use a periodically changing, randomized address instead of their static (permanent) Media Access Control (MAC) address. Thus, many state-of-the-art devices, such as Windows 10 computers and macOS and iOS devices implement address randomization for BLE advertising. In this work, we demonstrate that in several instances these address randomization schemes can be circumvented. Specifically, we show that a passive adversary can extract “identifying tokens” from advertising payloads and use them as secondary identifiers. We present an on-line algorithm that updates these identifying tokens in real time to successfully track popular types of devices over longer time periods than their address randomization cycles (sometimes indefinitely longer). We further identify an attack that captures the static MAC address of a device by passively observing interactions between the device and an accessory (i.e., a pen). This attack allows for permanent tracking of the device. Finally, we propose countermeasures against the presented algorithm and other privacy flaws in BLE advertising.

Ref

Johannes K. Becker, David Li, and David Starobinski, “Tracking Anonymized Bluetooth Devices,” Proceedings on Privacy Enhancing Technologies (PoPETs), Vol. 2019, No. 3. [[http://people.bu.edu/staro/Tracking_Anonymized_Bluetooth_Devices__PoPETS_Camera_Ready_.pdf[pdf]] (to be presented at PETS 2019 Symposium).