Bluetooth is everywhere these days—from your Android Wear smartwatch and fitness tracker, to the iPhone in your pocket. Thanks to the Bluetooth Low Energy (BLE) profile, they can connect to each other easily without draining your battery power.
All those wireless connections, however, could make irresistible targets for hackers and snoops, who—say researchers at Context Information Security—could use the same signals to track your location remotely.
In other words, the same technologies we use to count our steps can also give away our locations to outside parties.
How Bluetooth Location Tracking Can Bite Back
Bluetooth Low Energy devices announce their presence, sending out signals so that other gadgets can pair with them. This form of broadcasting or “advertising” allows for the primary line of communication between your smartwatch or step counter and smartphone, or iBeacons used in stores, so they can send promotions to your iPhone, based on where you are in a store.
The team cobbled together various “sniffers” to pick up transmissions. In one case, it used cheap hardware, Nordic Semiconductors’ NRF51 chip, as an add-on dongle for a laptop; in another, it created a mobile app to scan for devices from Android smartphones. In one session, the group detected 149 devices—including 26 FitBits, 2 Jawbones, some Nike products, an Estimote iBeacon, an Alcatel Pop C5, and several iPhones.
The researchers ratcheted up the range using a high-gain antennae, going from an open-air area of about 100 meters to as far as roughly 800 meters (about half of a mile).
What they’re actually latching onto are the devices’ MAC (media access control) addresses, which uniquely identify the gadgets on a Internet or wireless networks. They’re often fixed, though even devices that change MAC addresses are sometimes easy to identify. As a blog post Context Information Security researcher Scott Lester explains, “…they have a counter that increments the last few bytes of the address, and often send out constant identifying information.”
If there’s good news here, it may be that the nature of sniffing out devices or the need to tie a MAC address to a given gadget seems to rule out accidental discovery. It’s not likely that even malevolent hackers could stumble across your FitBit, know that it’s yours and then proceed to track your movements.
However, the relative simplicity of the researcher’s process means that any targeted user could be fairly easy to surveil. From Lester’s post:
“If I have an easy way to scan for these devices, and can attribute a device to a particular person such as a celebrity, your CEO or the police officer leading an investigation against your company, then I can easily tell when they’re nearby. Many of the available fitness trackers are waterproof and measure sleep, so there’s no need to ever take them off. Some stories are already starting to appear about organisations with concerns about wearable devices, for example the Chinese military.”
Beating The Blues
Lester told Infosecurity that while BLE devices broadcast their presence constantly to be detected by paired smartphones, “vendors could do more to anonymise devices, for example by not allowing the user to name the device, or by implementing some of the measures in the latest version of the protocol to obscure the device address.”
Bluetooth does offer a Bluetooth Smart LE Privacy feature, which replaces MAC addresses within such “advertising” packets (which broadcast the presence of a Bluetooth device) with random values at preset intervals.
According to Martin Woolley, a member of the Bluetooth Special Interest Group’s Developer Programs and Evangelism team, “any malicious device(s), placed at intervals along your travel route, would not be able to determine that the series of different, randomly generated MAC addresses received from your device actually relates to the same physical device.” In other words, nosy parties could try to track your iPhone, but they would pick up what looks like several different phones at various points.
That’s not quite what Context IS discovered. “Contrary to the intentions of the SIG, most of the devices we’ve seen have a random MAC address, in that it’s not possible to identify the vendor from the beginning of the address,” Lester wrote, “but it’s still fixed.”
Users concerned about privacy may shut down unnecessary Bluetooth connections, and update their software regularly, to make sure they have the latest security fixes as they become available. They may also want to think twice before naming their devices “Jules’ Watch” or “Janet’s Galaxy.”
The researchers have made their test app available on the Google Play Store, so if you’re interested, you can click here to download it and check out this “proof of concept.” (The group attests that it works on their phones, a Nexus 4 and a Sony Xperia Z3.) The app requires the new BLE libraries from Android 5.0.
Fortunately, Context IS’s methodology didn’t reveal vulnerabilities for other forms of data, but it’s worth keeping an eye on. Given the prevalence of BLE devices in wearable gadgets—not to mention home, car, mobile, iBeacon and health devices—it’s clear that much of the rising innovation hinges on Bluetooth. In some ways, it’s like the glue holding together various areas of technology, so the stakes are too high not to keep track of it.