Researchers from Boston University (BU) have discovered a flaw in the Bluetooth communication protocol that could expose most devices to third-party tracking and leak identifiable data.

According to the research paper — Tracking Anonymized Bluetooth Devices — detailed by Johannes K. Becker and David Starobinski, the vulnerability impacts Bluetooth devices running on Windows 10, iOS, and macOS, as well as Fitbit and Apple Watch smartwatches.

The details of the research were presented yesterday at the 19th Privacy Enhancing Technologies Symposium, Stockholm, Sweden.

The vulnerability allows an attacker to passively track a device by exploiting a flaw in the way Bluetooth Low Energy (BLE) is implemented to extract identifying tokens like the device type or other identifiable data from a manufacturer.

BLE is a fairly recent variant of Bluetooth which was officially integrated into the Core Specification in 2010. The technology is meant to provide considerably reduced power consumption while maintaining a similar communication range. Most manufacturers began incorporating BLE in their devices in 2012.

To make pairing between two devices easy, BLE uses public non-encrypted advertising channels to announce their presence to other nearby devices. The protocol originally attracted privacy concerns for broadcasting permanent Bluetooth MAC (short for Media Access Control) addresses of devices — a unique 48-bit identifier — on these channels.

However, BLE tried to solve the problem by letting device manufacturers use a periodically changing, randomized address instead of broadcasting the permanent MAC address.

The vulnerability discovered by BU researchers exploits this randomization mechanism to successfully track a device. The researchers said the “identifying tokens” present in advertising messages are also unique to a device and remain static for long enough to be used as secondary identifiers besides the MAC address.

The address-carryover algorithm exploits the asynchronous nature of address and payload change, and uses unchanged identifying tokens in the payload to trace a new incoming random address back to a known device. In doing so, the address-carryover algorithm neutralizes the goal of anonymity in broadcasting channels intended by frequent address randomization.

The “address-carryover” mechanism outlined by Becker and Starobinski leverages the identifiable token that can linked with the current address to the next random address assigned by the device, thus making it easy for an attacker to track the device in question.

It also doesn’t require message decryption or breaking Bluetooth security, as it’s based entirely on public, unencrypted advertising traffic, the researchers noted.

The algorithm works by listening to incoming addresses and tokens as they are broadcast on the BLE advertising channels. After the tokens are extracted by either looking at the payload information or isolating a byte sequence that meets a predetermined list of requirements, the algorithm constantly checks the incoming advertising address with the existing advertising address.

If the addresses match — essentially confirming it’s the same device — the identifying tokens are compared and updated. If they don’t, a match is attempted using any of the available captured identifying tokens as a “pseudo-identity.”

In case of a successful match, the identity of the device is updated with the incoming address, thus allowing the device to be tracked across addresses. If there’s no match, the algorithm terminates.

In their experimental tests, the researchers found that this technique works on Windows, iOS, and macOS systems. Interestingly, Android devices are completely immune from the vulnerability as the operating system never sends out manufacturer specific data or other potentially device-identifying data in those advertising messages.

To protect devices from address-carryover attacks, the researchers suggest device implementations should synchronize payload changes with MAC address randomizations.

With Bluetooth device adoption growing at a massive scale, they caution that “establishing tracking-resistant methods, especially on unencrypted communication channels, is of paramount importance.”

Read next: Instagram is hiding likes in 6 more countries so you can post like no one’s watching