David Starobinski<\/a>\u00a0(SE, ECE) and a team of researchers have discovered a vulnerability in several high-profile Bluetooth devices\u2014including the popular workout-tracking Fitbit watch\u2014that could allow third parties to obtain sensitive information from the devices, such as your whereabouts and activities.<\/p>\n\u201cWe were looking into different IoT protocols in general and trying to find privacy issues with those products,\u201d says Johannes Becker, a BU graduate researcher on the team. \u201cBasically everybody is carrying around a Bluetooth device nowadays in some way, shape, or form, and that makes it very relevant.\u201d<\/p>\n
Starobinski says that the very same features that allow a device to \u201cauthenticate,\u201d or correctly identify, its user\u2014e.g., saved paired device information or a fingerprint passcode\u2014can be co-opted by a third party to track the person instead.<\/p>\n
\u201cWe were looking at different ways we could try to authenticate people,\u201d says Starobinski. \u201cOne of the ideas was that you carry all these devices and they have specific behavior features, [so] maybe we can use them. And it\u2019s interesting because there\u2019s kind of a trade-off. On the one hand, you can authenticate because you have these unique signatures of your devices. But on the other hand, you also have the issue that the same feature can be used by a third party to track you. So, it\u2019s a double-edged sword.\u201d<\/p>\n
Before a pair of Bluetooth devices can begin transmitting information, they must first establish which device will play a central role in the connection and which device will play a peripheral role. For example, if you were trying to connect a pair of Bluetooth headphones to your iPhone, the iPhone would play the role of the central device and the headphones would be the peripheral one, says Becker. Once the pair\u2019s hierarchy is established, the central device begins scanning for signals sent by the peripheral device that indicate it\u2019s available for connection. These signals contain a unique address\u2014similar to the IP address of a computer\u2014and a payload containing data about the connection.<\/p>\n
Most devices produce randomized addresses that automatically reconfigure periodically, instead of maintaining one permanent address, in an attempt to improve privacy. It\u2019s designed to throw nefarious observers off the scent of a given device\u2019s location, but Starobinski\u2019s team says that they discovered an oversight in this process that allows a device to be tracked even as its address changes.<\/p>\n
\u201cTo an onlooker [the payload data] could just be a number, no big deal,\u201d says Becker. \u201cBut we said, \u2018Let\u2019s take this random data\u2026and let\u2019s pretend it\u2019s a unique identifier [of the device].\u2019 And then what we found is that this [identifier] doesn\u2019t change in sync with the address.\u201d<\/p>\n
Since the payload information updates at a different rate than the address information, the communication blips between Bluetooth devices paint an identifiable pattern. Having discovered this vulnerability, the researchers decided to test out how well it could be used by a third party to track individual devices.<\/p>\n
They modified an already existing open-source \u201csniffer\u201d algorithm (aptly named for its ability to sniff out and track Bluetooth connections) and found, luckily for Android users, that those devices don\u2019t have the identifiable communication blip that would make them vulnerable to tracking. In contrast, Windows 10 and iOS may\u00a0have something to worry about, since many of those devices do have the communication blips that make them trackable.<\/p>\n
They also found that wearables\u2014like a Fitbit\u2014and smart pens do not exhibit any address change or randomization at all, making them extremely susceptible to tracking even without the use of a sniffer algorithm.<\/p>\n
\u201cWhat surprised me the most was discovering a vulnerability with the Fitbit activity trackers,\u201d says senior David Li (ENG), who contributed to the research. \u201cRestarting the device or draining its battery did not change its access address. This was completely unexpected. If the Fitbit\u2019s access address never changes, then an adversary could potentially track a Fitbit owner.\u201d<\/p>\n
While this security hole doesn\u2019t sacrifice personal user data, the researchers say a hacker could take advantage of it and create a network of computers\u2014known as a \u201cbotnet\u201d\u2014to track an individual device at larger distances, or combine tracking information with more personal data from Wi-Fi accessible IoT devices to build a more detailed picture of a user. The researchers also emphasize that no invasive hacking was necessary to access this leaking Bluetooth information. Because the address and payload information are transmitted as plain text (i.e., unencrypted), their algorithm could simply listen invisibly to the publicly transmitted information.<\/p>\n
That said, the authors point out that thwarting this particular security gap can be as simple as turning off and back on your device\u2019s Bluetooth connection, at least in the case of Windows 10 and iOS devices. For smart wearables like the Fitbit or accessory devices like smart pens, the researchers say there isn\u2019t much a user can do about the signals they\u2019re broadcasting.<\/p>\n
\u201cThere are tons of ways to track people, with or without Bluetooth,\u201d says Becker. \u201cIt\u2019s always good to be aware of the kind of signals you\u2019re sending out, especially in the age of IoT. I\u2019m much more skeptical toward these devices that don\u2019t give you control [of Bluetooth], such as smartwatches, where you can just assume they\u2019re broadcasting something all the time.<\/p>\n
\u201cBut no, I haven\u2019t fundamentally changed the way I use devices,\u201d he adds.<\/p>\n
Originally published on The Brink<\/em><\/a>, July 17, 2019.<\/p>\n","protected":false},"excerpt":{"rendered":"BU researchers found that a third-party algorithm can track the location of some Bluetooth devices In 2018, nearly 3.7 billion new Bluetooth-enabled devices shipped worldwide to consumers. From phones and speakers to thermostats and fridges, home appliances and personal devices including \u201cwearables\u201d are rapidly becoming more connected by Wi-Fi than ever before, creating what\u2019s called […]<\/p>\n","protected":false},"author":18623,"featured_media":30400,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[76],"tags":[],"_links":{"self":[{"href":"https:\/\/www.bu.edu\/cise\/wp-json\/wp\/v2\/posts\/30399"}],"collection":[{"href":"https:\/\/www.bu.edu\/cise\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bu.edu\/cise\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/cise\/wp-json\/wp\/v2\/users\/18623"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/cise\/wp-json\/wp\/v2\/comments?post=30399"}],"version-history":[{"count":4,"href":"https:\/\/www.bu.edu\/cise\/wp-json\/wp\/v2\/posts\/30399\/revisions"}],"predecessor-version":[{"id":33555,"href":"https:\/\/www.bu.edu\/cise\/wp-json\/wp\/v2\/posts\/30399\/revisions\/33555"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/cise\/wp-json\/wp\/v2\/media\/30400"}],"wp:attachment":[{"href":"https:\/\/www.bu.edu\/cise\/wp-json\/wp\/v2\/media?parent=30399"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bu.edu\/cise\/wp-json\/wp\/v2\/categories?post=30399"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bu.edu\/cise\/wp-json\/wp\/v2\/tags?post=30399"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"http:\/\/www.bu.edu\/systems\/files\/2021\/01\/Screen-Shot-2021-01-09-at-5.14.50-PM.png\")
<\/p>\n