Bluetooth LE’s anti-tracking technology beaten
Researchers have found a way around the Media Access Control (MAC) address randomisation feature used by Bluetooth Low Energy (BLE) to protect users and their devices from being identified and tracked.
For anyone unfamiliar with the ins and outs of BLE security (see below), the first and most surprising issue confirmed by Tracking Anonymized Bluetooth Devices from Boston University’s Johannes Becker, David Li, and David Strobinski, is that device makers have a lot of leeway in how they implement BLE security, or whether they need to bother at all.
But the team has now confirmed that even software where BLE device privacy is implemented carefully – Windows 10, macOS and Apple’s iOS being the stand-out examples – is a lot less secure than everyone has assumed.
Rabbit hole
The under-appreciated fact about Bluetooth is that behind its friendly ‘turn on, connect, forget’ reputation, the technology has gradually become one of security’s rabbit holes.
That’s mainly because it’s a 20-year-old standard that has evolved in a series of jumps, the most significant of which was the arrival of Bluetooth Low Energy (BLE, formerly Bluetooth Smart) in 2011.
Part of Bluetooth 4.0 (and its successor Bluetooth 5), the headline advance of BLE was its improved power consumption as well as its introduction of a sophisticated security and privacy architecture.
However, an unavoidable weak point was the need for a Bluetooth device to publicly ‘advertise’ itself without encryption to other devices around it without leaking details of that device to snoopers – BLE’s answer to which was something called address randomisation.
The principle is simple enough: instead of sending a single unique hardware MAC address during the unencrypted advertising process, you replace it with randomly generated ones that make each device look like lots of different ones so as to preserve its anonymity.
So how does a nearby device know what to pair with? In addition to the stream of randomised MAC addresses, BLE sends a ‘payload’ of identifying tokens.
Comments are closed.