Tracking Anonymized Bluetooth Devices

Recently, researchers from Boston University published a paper called "Tracking Anonymized Bluetooth Devices". The paper detailed a flaw in the ubiquitous Bluetooth communication protocol that could expose device users to tracking and even leak their IDs. As explained in the paper, many Bluetooth devices announce their presence by using their MAC addresses as the basis to generate a random number in order to prevent long-term tracking.

The team discovered a flaw in the system and identified tokens that exist alongside MAC addresses. The researchers created what they're calling an address-carryover algorithm that is able to "exploit the asynchronous nature of payload and address changes to achieve tracking beyond the address randomization of a device. The algorithm does not require message decryption or breaking Bluetooth security in any way, as it is based entirely on public, unencrypted advertising traffic."

At the center of this flaw is Bluetooth BLE

The problem is Bluetooth BLE (which stands for Low Energy Specification).  Introduced in 2010, it really came to the fore with the release of Bluetooth 5.  The research team discovered it when they began investigating BLE advertising channels and "advertising events" within standard Bluetooth proximities.

"Most computer and smartphone operating systems do implement address randomizations by default as a means to prevent long-term passive tracking, as permanent identifiers are not broadcasted.  However, we identified that devices running Windows 10, iOS or Mac OS regularly transmit advertising events containing custom data structures which are used to enable certain platform-specific interaction with other devices within BLE range."

Although this technique works on any Windows, iOS, and macOS system, Android devices are completely immune. That is because the Android OS doesn't continually send out advertising messages, and instead takes the approach of scanning for advertising messages being transmitted nearby.

Our perspective

If all of that makes your head spin, consider this:  The number of Bluetooth devices is projected to grow from 4.2 to 5.2 billion between 2019 and 2022. So this is a significant issue, deserving of attention. In the meantime, you could turn-off Bluetooth while outside your home (yeah, like that's going to happen).

Meanwhile, check out this report

This free executive report may give you insights into how to build your business with safe IT environments: 10 Hidden IT Risks That Might Threaten Your Business and 1 Easy Way to Find Them

The author

Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPia Blogs. I am also available on LinkedIn, Facebook, and Twitter.

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT SupportI am Denis Wilson, President and Principal Consultant for DWP Information Architects. I help professionals grow their business by building a foundation of rock-solid information solutions for smaller healthcare, insurance, financial, legal, and nonprofits firms in Ventura County and San Fernando Valley. And have created cost-effective IT solutions, for over 20 years, specializing in cybersecurity and regulatory compliance. I am also a published author and speaker, working extensively with a variety of organizations, as well as providing small business technology education programs through business and professional associations. This just in: I will be speaking regularly at California Lutheran University's Center for Nonprofit Leadership starting in September.

Contact me if you would like me to speak at your association.