Study uncovers new threat to security and privacy of Bluetooth devices – The Ohio State University News
Mobile devices that use Bluetooth are vulnerable to a glitch that could allow attackers to track a user’s location, a new study has found.
The research revolves around Bluetooth Low Energy (BLE), a type of Bluetooth that uses less energy when compared to Bluetooth Classic (an earlier generation of Bluetooth). On smartwatches and smartphones, billions of people rely on this type of wireless communication for all types of activities, ranging from entertainment and sports to retail and health care.
Yet due to a design flaw in Bluetooth’s protocol, users’ privacy could be at risk, said Yue Zhang, lead author of the study and a postdoctoral researcher in computer science and engineering at The Ohio State University. Zhang recently presented the findings at the ACM Conference on Computer and Communications Security (ACM CCS 2022). The study also received a “best paper” honorable mention at the conference.
Zhang and his adviser, Zhiqiang Lin, professor of computer science and engineering at Ohio State, proved the threat by testing over 50 market-available Bluetooth devices as well as four BLE development boards. They reported the flaw to major stakeholders in the Bluetooth industry, including Bluetooth Special Interest Group (SIG) (the organization that oversees the development of Bluetooth standards), hardware vendors such as Texas Instruments and Nordic, and operating systems providers such as Google, Apple and Microsoft. Google rated their findings as a high-severity design flaw and gave the researchers a bug bounty award.
But the good news is that Zhang and Lin also developed a potential solution to the problem that they successfully tested.
Bluetooth devices have what are called MAC addresses – a string of random numbers that uniquely identify them on a network. About once every 20 milliseconds an idle BLE device sends out a signal advertising its MAC address to other nearby devices that it could connect with.
The study identifies a flaw that could allow attackers to observe how these devices interact with the network, and then either passively or actively collect and analyze the data to break a user’s privacy.
“This is a new finding that nobody has ever noticed before,” said Zhang. “We show that by broadcasting a MAC address to the device’s location, an attacker may not physically be able to see you, but they would know that you’re in the area.”
One of the reasons researchers are concerned about such a scenario is because a captured MAC address could be deployed in what is called a replay attack, which may allow the attacker to monitor the user’s behaviors, track where the user has been in the past or even figure out the real-time location of the user.
“Bluetooth SIG was certainly made aware of the MAC address tracking threat, and to protect devices from being tracked by bad actors, a solution called MAC address randomization has been used since 2010,” said Lin.
Later in 2014, Bluetooth introduced a new feature called the “allowlist” which only allows approved devices to be connected, and prevents private devices …….