Over the last few years, mobile devices have become increasingly talkative over the Bluetooth Low Energy (BLE) protocol, and this is proving to be a somewhat significant privacy risk.
Seven bofines at the University of California, San Diego – Hadi Givehchian, Nishant Bascar, Eliana Rodriguez Herrera, Hector Rodrigo Lopez Soto, Christian Damef, Dinesh Bharadia and Aaron Shulman – tested BLE’s conversions on several popular phones, computers and to be traced through their physical signaling characteristics, albeit with periodic success.
This means that devices can emit a unique fingerprint, which means that it is possible to search for these fingerprints in multiple places to determine where these devices have been and when. This can be used to track people; you will need to use your imagination to determine who would or could use this usefully. However, at least two members of the team believe that it is worthwhile for product manufacturers to address this lack of confidentiality.
Academics describe their findings in a paper [PDF], “Assessing Physical Layer BLE Location Tracking Attacks on Mobile Devices,” scheduled to be presented at the IEEE Security and Privacy Symposium in 2022.
BLE messaging has become more common in phones, laptops, watches and the like thanks to the support of an operating system for services such as Apple Continuity protocol for moving work between devices and Find mine, to find lost devices. More recently, US-based researchers explain, COVID-19 tracking software uses mobile devices such as BLE beacons to emit public health signals.
Applications using BLE typically try to disguise identifying data by doing things like re-encrypting the MAC address of the transmitting device, they explain. However, this type of MAC address randomization cannot obscure the built-in hardware features that can be used to uniquely identify the transmitting machine.
Fans looked at several popular mobile devices – iPhone 10 (iOS), Thinkpad X1 Carbon (Windows), MacBook Pro 2016 (macOS), Apple Watch 4 (watchOS), Google Pixel 5 (Android) and Bose QuietComfort 35 wireless headphones – and found that they can often successfully gain fingerprints on the physical layer of the BLE chip.
In other words, they measure variations in the radio frequency characteristics of BLE transmissions in a way that allows them to distinguish BLE devices from each other, making the identified devices theoretically traceable.
The radio frequency fingerprint has been the subject of academic research for years on systems such as RFID [PDF], Bluetooth [PDF], and WiFi [PDF].
Fingerprints from the device
The UC San Diego team claims that no one has previously assessed the practicality of a real-world BLE fingerprint attack, and that no one has previously proposed a BLE fingerprint tool that can measure the physical layer imperfections exposed. from the transmissions of such systems.
The BLE chipsets in the sample devices share a common architectural model: They include Wi-Fi circuits to reduce power consumption and save space. As a result, both BLE and Wi-Fi in these devices rely on the same 2.4 GHz common-mode / quadrature (I / Q) interface of the receiver.
“The consequence of this choice of hardware design is that BLE broadcasts contain the same hardware imperfections as Wi-Fi,” the researchers explained in their article.
“Imperfections are introduced by the chip’s shared I / Q interface. They lead to two measurable indicators in BLE and WiFi transmissions: carrier frequency offset (CFO) and I / Q imperfections, in particular: I / Q offset and I / Q imbalance. “
Given that previous research has shown that these indicators can uniquely have fingerprints on WiFi devices, the Boffins have set out to show that the same can be done for the now ubiquitous BLE signals.
They faced a number of challenges that made it difficult to identify. First, distinguishing devices with the same chipset as Apple’s iPhone is more difficult than distinguishing devices with different chipsets. Second, changes in device temperature complicate matters, potentially requiring reassessment so that an inactive device can be connected to a device running an application.
And third, the devices transmit at different power levels, which affects the range in which they can be detected – the iPhone obviously emits its COVID beacons at a higher power level than Android devices.
Other potential problems, such as the difference between using an expensive software-defined radio to scan signals and a cheap hobby model, turned out to be something that could be offset by calibration.
Real world testing
The group collected two data sets for BLE beacons. The first came from scanning for signals in six cafes, a university library and a food yard, each for about an hour. They collected packages of 162 devices during this period and found that about 40 percent were uniquely identified.
The second set of data comes from setting up a software-defined radio at the exit of a room where it was exposed to hundreds of devices daily. The researchers recorded BLE beacons for COVID-19 exposure notifications from Apple and Google, transmitted by bypass devices over 10-hour periods on two separate days at one-week intervals.
They saw 647 unique MAC addresses during the two 20 hours of data collection and were able to uniquely identify 47.1% of them; 15% had imperfections that overlapped with only one other device.
The Boffins also tried an experiment in which they tracked 17 different targets as they moved. The average value of a false negative result reaches 3.21%, while the average value of a false negative result reaches 3.5%, which means that their system identifies the device that is most accurate.
In an email to The register, PhD students from the University of California, San Diego Hadi Givechian, Nishant Bhaskar, the two main authors of the article, said they expect Apple’s AirTag and Samsung SmartTag Plus to be tracked using the same technique.
“The BLE chipsets in the locator beacons will probably have the same manufacturing variations that we observed in other wireless devices only with the BLE we tested,” they said.
Turn it off
The article offers two possible protections: adding an arbitrarily time-varying additional frequency shift to the crystal oscillator, which BLE can obviously handle to make signal measurements less predictable; and starting a background process that constantly changes the calculations when the MAC address is randomized, which would cause the battery to drain faster.
Turning off devices should limit tracking, but efforts to disable tracking may not work as expected.
“As far as we know, the exclusion of personal [device] it will completely stop it from the beacon, “said Givehchian and Bhaskar.” However, we have found that simply disabling Bluetooth on some phones will not stop the beacons. For example, on some Apple devices, disabling Bluetooth in the Control Center (the menu available by swiping down from the top of the screen) may not stop it from the beacon. “
Ultimately, the researchers concluded that tracking people through BLE could be done, and some people were more vulnerable than others, depending on the conditions and the frequency or uniqueness of the target device.
“Based on our results, we believe that this attack is feasible and practical, so device suppliers should consider mitigating the consequences,” Givehchian and Bhaskar said. “Many devices in use today have unique fingerprints, and the hardware needed for the attack costs less than $ 200.
“We have also noticed that the attack is not guaranteed to be successful in all situations, the target [device] can be mistaken for a large crowd and its fingerprint will change when the device heats up or cools down. “®