CLEVER FOLKS from Boston University have found a vulnerability in the Bluetooth protocol that exposes users of Bluetooth devices to data leaks and tracking.
The researchers found that despite built-in protections in iOS, macOS and Windows, the vulnerability could be exploited to allow malicious types and third-party firms to track users and extract sensitive information, potentially leading to stalking and abuse of data. Android users can breath easy as the vulnerability doesn't affect Google's mobile OS.
The crux of the vulnerability stems from how Bluetooth-enabled devices communicate with each other. When pairing devices, one will act as a central device and the other will be a peripheral gadget, with the latter providing a MAC address which the central device can use to identify and connect to the peripheral.
Operating systems randomise and change these MAC addresses to protect a user's privacy and prevent long-term tracking.
But the Boston University researchers found that in iOS, macOS and Windows 10, there are custom data structures in the messages Bluetooth-enables devices send out when advertising their presence. The custom bits are used to enable certain platform-specific interactions with other devices within Bluetooth comms range.
The researchers cooked up what they called an "address carry-over algorithm" that could track these custom identifiers and effectively circumvent the MAC address randomisation.
"The algorithm does not require message decryption or breaking Bluetooth security in any way, as it is based entirely on public, unencrypted advertising traffic," the researchers said in their Tracking Anonymized Bluetooth Devices paper.
"Any device which regularly advertises data containing suitable advertising tokens will be vulnerable to the carry-over algorithm if it does not change all of its identifying tokens in sync with the advertising address."
They also noted then when combined with other vulnerabilities such as compromised WiFi routers, the tracking technique could be used to build up a location profile of a user of a compromised Bluetooth device, which would be an obviously a creepy breach of privacy.
The vulnerability is particularly bad in Fitbit devices, according to the researchers, who noted that the Bluetooth-enabled fitness trackers and smartwatches don't randomise or automatically update their MAC addresses, which would make them easier to compromise.
There are other ways for people to digitally track others, so the vulnerability is arguably not something to be immediately concerned about, and both Microsoft and Apple have been alerted to it.
Furthermore, those of a paranoid persuasion can simply turn their Bluetooth off and on again to break the carry-over algorithm, but in Windows 10 it needs to be done in the Device Manager as turning it off in the regular settings panel won't reset the advertising address.
Nevertheless, the vulnerability will need to be plugged by Apple and Microsoft, and there's no word on whether that's been done yet. µ
Now you can watch documentaries about horribly disfigured people whenever you like
Brad to the bone
Being in a minority of one doesn't make you right
WeWork needs a rework