Fast Pair: Google's tech to woo Bluetooth device makers Watch Now

A flaw in the Bluetooth communication protocol may expose modern device users to tracking and could leak their ID, researchers claim.

The vulnerability can be used to spy on users despite native OS protections that are in place and impacts Bluetooth devices on Windows 10, iOS, and macOS machines. This includes iPhones, iPads, Apple Watch models, MacBooks, and Microsoft tablets & laptops.

On Wednesday, researchers from Boston University David Starobinski and Johannes Becker presented the results of their research at the 19th Privacy Enhancing Technologies Symposium, taking place in Stockholm, Sweden.

According to the research paper, Tracking Anonymized Bluetooth Devices (.PDF), many Bluetooth devices will use MAC addresses when advertising their presence to prevent long-term tracking, but the team found that it is possible to circumvent the randomization of these addresses to permanently monitor a specific device.

Identifying tokens are usually in place alongside MAC addresses and a new algorithm developed by Boston University, called an address-carryover algorithm, is able to "exploit the asynchronous nature of payload and address changes to achieve tracking beyond the address randomization of a device."

"The algorithm does not require message decryption or breaking Bluetooth security in any way, as it is based entirely on public, unencrypted advertising traffic," the paper reads.

See also: Singtel will give free mobile data to people that walk

The Bluetooth low-energy specification, introduced in 2010 and used in Bluetooth 5, is the main focus of the research. During their experiments, the researchers set up a testbed of Apple and Microsoft devices to analyze BLE advertising channels and "advertising events" within standard Bluetooth proximities.

To conduct the tests, a custom version of Xianjun Jiao's BTLE software suite and sniffer was used. Over a period of time, advertising events and log files were passively collected and this information was analyzed to elicit data structures which revealed device ID tokens.

CNET: WhatsApp, Telegram had security flaws that let hackers change what you see

"Most computer and smartphone operating systems do implement address randomizations by default as a means to prevent long-term passive tracking, as permanent identifiers are not broadcasted," the paper reads. "However, we identified that devices running Windows 10, iOS or macOS regularly transmit advertising events containing custom data structures which are used to enable certain platform-specific interaction with other devices within BLE range."

It is these identifiers which can be incorporated into an algorithm to track devices and circumvent address randomization by giving attackers data which the researchers call "a temporary, secondary pseudo-identity."

TechRepublic: Top 5 cybersecurity challenges for CISOs

While this technique works on Windows, iOS, and macOS systems, the Android operating system is immune as the OS does not continually send out advertising messages. Instead, the Android SDK scans for advertising nearby -- rather than advertising itself in a continuous fashion.

"Any device which regularly advertises data containing suitable advertising tokens will be vulnerable to the carry-over algorithm if it does not change all of its identifying tokens in sync with the advertising address," the researchers say. "As Bluetooth adoption is projected to grow from 4.2 to 5.2 billion devices between 2019 and 2022 [...] establishing tracking-resistant methods, especially on unencrypted communication channels, is of paramount importance."

Update 12.41 BST: A Microsoft spokesperson told ZDNet:

"Microsoft has a strong commitment to security and a demonstrated track record of investigating and proactively updating impacted devices as soon as possible. We addressed this issue in the Windows 10 May Update (1903) and customers who have Windows Updates enabled are protected."

ZDNet has reached out to Apple and will update if we hear back.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0