Bluetooth watch

The Breakthroughs

Research Breakthrough: Boston University engineers have discovered a vulnerability in several high-profile Bluetooth devices—including the popular workout-tracking Fitbit watch—that could allow third parties to obtain sensitive information from the devices, such as your exact location.

Public Relations Breakthrough: The research garnered over 50+ pieces of coverage globally in publications such as the The Next Web, The Register, SC Magazine, Engadget, ZDNet, Threatpost, and more. The Brink story received 9,423 total pageviews. On social media, the story had over 15,114 engagements and reached over 115,083 people via Twitter, LinkedIn, and Facebook.

The Players

Research Team: College of Engineering professor David Starobinski and graduate student Johannes Becker released a paper in March 2019 entitled Tracking Anonymized Bluetooth Devices which was accepted to the 19th Privacy Enhancing Technologies Symposium (PETS 2019). The research outlined a vulnerability in several high-profile Bluetooth devices that could allow third parties to obtain sensitive information, such as a person’s whereabouts and activities.

PR & Editorial Team: Six months in advance, David Starobinski alerted the Public Relations | Social Media team that he and Johannes Becker would be presenting their research at the PETS Symposium. Starobinski shared the whitepaper (which was already published online at the time) with MarCom’s PR | Social team and The Brink, BU’s online research magazine. The PR | Social team met with Starobinski and Becker for an in-take meeting to better understand the research and findings, which allowed them to strategize an effective promotion plan and timeframe. The PR | Social team distilled the main messages, identified key audiences and publications to target, and worked with The Brink editor to establish an embargo for the research article – which prohibits the release of information before a certain date – to support the broader promotion effort.

The Outreach

  • Media outreach to two primary audiences: cybersecurity trade journalists and technology reporters at mainstream news outlets. The PR | Social team used differentiated and tailored messaging with each audience group which helped secure feature coverage in priority and reputable publications. The heightened visibility of the researchers’ work led additional outlets to cover the news and created significant buzz ahead of the conference presentation. Select news coverage was also posted by readers to popular forums such as HackerNews and shared organically across social media.
  • Outreach to influential republishers including Association of American Universities (AAU), which highlights research breakthroughs of its member universities, and Futurity, which features research from top universities across in the US, UK, Canada, Europe, Asia, and Australia. The AAU republished The Brink’s research article and promoted on social to their 14,000+ followers. Futurity republished an original Q&A with Becker and Starobinski developed by the PR | Social team, and promoted on social for their 20,000+ followers.
  • Social media outreach, including sharing the research over BU’s thought-leadership Twitter and Facebook channels, re-sharing media hits, academic partners’ content, and influencers’ posts highlighting the research, and targeting audiences through paid social campaigns.

The Takeaways

  1. Find a compelling hook: The research was available on arXiv months before the researchers would present their findings at the PETS symposium. The PR | Social team, in coordination with The Brink, decided to create an embargo and time all promotional activity and content to the conference. Aligning promotional activity with an event made the research seem both timely and fresh, despite the fact that it had been previously available online.
  2. Know your audience: The research paper had the potential to appeal to multiple yet distinct audience groups, including mainstream consumers concerned about their personal data privacy as well as cyber security practitioners and technologists. The PR team worked closely with the researchers to identify and understand these audience groups and then developed tailored messaging and a customized outreach strategy. Understanding the key audiences in advance helped the PR | Social team execute a multi-pronged approach that resonated with a variety of priority audiences.
  3. Tap into current conversations: To reinforce the importance of the research, the PR team made sure to link the findings and takeaways to current news items and broadly impacting conversations around cybersecurity, data breaches, and data privacy. This helped underscore why the research is relevant and impactful to a wide demographic, and also incentivized journalists to pay attention to and write about the findings.
  4. Maximize media exposure: The team was able to capitalize on the initial embargo and event-driven media exposure by further amplifying the coverage across social media, and making sure the researchers were available throughout the week of the conference for additional media interviews. The PR | Social team also developed a written Q&A with the researchers to provide more context on Bluetooth technology and how it works, and to highlight some of the more technical aspects of the research. The team published this piece to their BU Experts Medium channel, which was republished by Boston University’s academic partners including Futurity, and promoted over social media – effectively continuing traction for the research and implications.
  5. Expand your real-world impact: The media splash at the conference helped build buzz and interest with security vendors and other conference participants. The research has already received several citations in the literature, including in the context of COVID-19 tracking apps, and the documentation for the Apple-Google COVID exposure notification app references the issue raised in the paper.

Responsible Disclosure: Vulnerability to the address-carryover algorithm discovered in Microsoft and Apple software were disclosed with the companies in November 2018. Additional findings regarding the Microsoft Surface Pen and iOS activity side channel were subsequently disclosed to the respective companies in following correspondence. The Fitbit vulnerability was already known, however the research paper confirmed that the issue still remained at the time the paper was submitted. Specifically, the paper showed that even factory reset of Fitbit smartwatches did not help in resolving the issue.