Over the past few years, mobile devices have become increasingly chatty over the Bluetooth Low Energy (BLE) protocol and this turns out to be a somewhat significant privacy risk.
Seven boffins at University of California San Diego – Hadi Givehchian, Nishant Bhaskar, Eliana Rodriguez Herrera, Héctor Rodrigo López Soto, Christian Dameff, Dinesh Bharadia, and Aaron Schulman – tested the BLE implementations on several popular phones, PCs, and gadgets, and found they can be tracked through their physical signaling characteristics albeit with intermittent success.
That means the devices may emit a unique fingerprint, meaning it’s possible to look out for those fingerprints in multiple locations to figure out where those devices have been and when. This could be used to track people; you’ll have to use your imagination to determine who would or could usefully exploit this. That said, at least two members of the team believe it’s worth product makers addressing this privacy weakness.
The academics describe their findings in a paper [PDF], “Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices,” which is scheduled to be presented at the IEEE Symposium on Security and Privacy in 2022.
BLE message transmissions have become more common in phones, laptops, watches, and the like thanks to operating system support for services like Apple’s Continuity protocol, for moving work across devices, and Find My, for locating lost devices. More recently, the US-based researchers explain, software for tracking COVID-19 has used mobile devices as BLE beacons, broadcasting signals in the service of public health.
Applications utilizing BLE commonly try to conceal identifying data by doing things like re-encrypting the MAC address of the transmitting device, they explain. But this sort of MAC address randomization can’t conceal baked-in hardware characteristics that may be usable to uniquely identify the transmitting machine.
The boffins looked at at handful of popular mobile devices – iPhone 10 (iOS), Thinkpad X1 Carbon (Windows), MacBook Pro 2016 (macOS), Apple Watch 4 (watchOS), Google Pixel 5 (Android), and Bose QuietComfort 35 wireless headphones – and found they could often successfully fingerprint the physical BLE chip layer.
In other words, they measured variations in the radio-frequency characteristics of BLE transmissions in a way that allowed them to distinguish BLE devices from one another, making identified devices theoretically trackable.
Radio-frequency fingerprinting has been a subject of academic research for years, on systems like RFID [PDF], Bluetooth [PDF], and WiFi [PDF].
The UC San Diego group claims that no one has previously evaluated how practical a fingerprinting attack on BLE might be in the real world and that no one has previously proposed a BLE fingerprinting tool that can measure the physical-layer imperfections exposed by such systems’ transmissions.
The BLE chipsets in the sample devices share a common architectural pattern: They include Wi-Fi circuitry, to reduce power consumption and to save space. As a result, both BLE and Wi-Fi in these devices rely on the same 2.4 GHz in-phase/quadrature (I/Q) receiver frontend.
“A consequence of this hardware design choice is that BLE transmissions contain the same hardware imperfections as Wi-Fi,” the academics explain in their paper.
“The imperfections are introduced by the shared I/Q frontend of the chipset. They result in two measurable metrics in BLE and WiFi transmissions: Carrier Frequency Offset (CFO) and I/Q imperfections, specifically: I/Q offset and I/Q imbalance.”
Given that prior research has shown these metrics can uniquely …….