Identifying tokens and random addresses, meant to create anonymity, do not change in sync on some devices — opening an attack vector.

Vulnerabilities in the way Bluetooth Low Energy is implemented on devices by manufacturers can open the door to global device tracking for the Windows 10, iOS and macOS devices that incorporate it, according to research from Boston University.

An academic team at BU uncovered the flaws, which exist in the periodically changing, randomized device addressing mechanism that many new-model Bluetooth Low Energy (BLE) devices incorporate to prevent passive tracking. A paper on the issues (PDF) was presented Wednesday at the 19th Privacy Enhancing Technologies Symposium.

Bluetooth devices advertise themselves as available to other devices in publicly available clear channels, dubbed “advertising channels,” to make pairing with other devices easy. In early versions of the Bluetooth specification, the permanent Bluetooth MAC addresses of devices were regularly broadcast in these clear advertising channels, leading to major privacy concerns stemming from the potential for device-tracking. BLE aimed to solve that by instead allowing device manufacturers to use temporary random addresses in over-the-air communication instead of a device’s permanent address.

But many BLE devices also use dynamic identifying tokens, which are unique to a device and remain static long enough to be used as secondary identifiers to the random addresses. The researchers were able to successfully track devices because these identifying tokens and the random addresses do not change in sync on some devices. So, one identifying token can be linked with a current address as well as the next random address assigned to the device. By identifying the token, this offers a kind of bridge between randomized addresses that can be followed by an attacker.

The Algorithm

In the research, the academic team used a packet sniffer to analyze the traffic coming across the advertising channels using what it called an address-carryover algorithm.

“The address-carryover algorithm exploits the asynchronous nature of address and payload change, and uses unchanged identifying tokens in the payload to trace a new incoming random address back to a known device,” according to the report. “[This] is an online algorithm that continuously observes changes in the address as well as any other relevant identifying tokens found.”

The algorithm listens to incoming addresses and tokens as they are broadcast on one of the BLE advertising channels. After extracting tokens for a certain device, if the advertising address changes, a match is attempted using any of the available captured identifying tokens. In case of a successful match, the identity of the device can be updated with the incoming address, so that the device was successfully tracked across addresses.

The researchers tested Apple and Microsoft computers and iPhones, and found conflicting success in their proof-of-concept work, they said.

“The algorithm succeeds consistently on Windows 10 and sometimes on Apple operating systems,” according to the report. “In both cases, the respective identifying tokens change out of sync with the advertising address. In the Windows 10 case, there is no evidence of any synchronization by design. In the Apple case, it seems that there exist mechanisms to synchronize updates of identifying tokens with address randomization, but they occasionally fail.”

While the research work focused on Windows 10 and Apple devices, any device is vulnerable to the carry-over algorithm if it does not change all of its identifying tokens in sync with the advertising address.

Impact

Bluetooth adoption is projected to grow from 4.2 to 5.2 billion devices between 2019 and 2022, with over half a billion amongst them wearables and other data-focused connected devices. While the average BLE range is around 10 to 20 meters (though it has a theoretical range of up to 100 meters), an attacker could extend his reach via a botnet, researchers said.

“Local BLE tracking methods may be significantly compounded by coordinating them in a botnet of adversaries, resulting in potentially global tracking capabilities,” according to the paper. “This privacy concern is compounded by the realistic feasibility of BLE-based botnets and complementary threats such as large-scale tracking of users via compromised Wi-Fi routers, which amplify trackability to a global scale.”

The scale of the privacy issues could also get worse, the report concluded.

“It can further be imagined that additional metadata, such as electronic purchase transactions, facial recognition and other digital traces could be combined with Bluetooth tracking to generate a fine-grained location profile of a victim,” said the researchers.

The BU team said that it disclosed the issues to Microsoft and Apple in November. So far, no patches have appeared, but feasible workarounds exist.

For Windows 10, users can periodically disable a Bluetooth device through the Windows Device Manager and re-enable it again, which will reset both the advertising address and the token, thereby breaking the chain, researchers said.

For Apple devices, switching Bluetooth off and on in the System Settings (or in the Menu Bar on macOS) will randomize the address and change the payload, the team said.

Also, the testing revealed that Android devices are not affected.

Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More