In 2018, nearly 3.7 billion new Bluetooth-enabled devices shipped worldwide to consumers. From phones and speakers to thermostats and fridges, home appliances and personal devices including “wearables” are rapidly becoming more connected by Wi-Fi than ever before, creating what’s called the Internet of Things (IoT). In theory, connecting devices through the IoT allows users to seamlessly automate or control digital tasks, but new research from Boston University suggests that these Bluetooth-enabled devices might be broadcasting your location and habits to third-party observers.
Boston University engineers have discovered a vulnerability in several high-profile Bluetooth devices - including the popular workout-tracking Fitbit watch - that could allow third parties to obtain sensitive information from the devices, such as your exact location.
David Starobinski, a BU College of Engineering professor of electrical and computer engineering, and a team of researchers were looking into different IoT protocols in general and trying to find privacy issues with those products. They found that the very same features that allow a device to “authenticate,” or correctly identify its user - e.g., saved paired device information or a fingerprint passcode - can be co-opted by a third party to track the person instead.
The researchers say that the information leak stems from the way different Bluetooth devices communicate with one another to establish a connection.
Before a pair of Bluetooth devices can begin transmitting information, they must first establish which device will play a central role in the connection and which device will play a peripheral role. For example, if you were trying to connect a pair of Bluetooth headphones to your iPhone, the iPhone would play the role of the central device and the headphones would be the peripheral one. Once the pair’s hierarchy is established, the central device begins scanning for signals sent by the peripheral device indicating it’s availability for connection. These signals contain a unique address - similar to the IP address of a computer - and a payload containing data about the connection.
Most devices produce randomized addresses that automatically reconfigure periodically, instead of maintaining one permanent address, in an attempt to improve privacy. It’s designed to throw nefarious observers off the scent of a given device’s location, but Starobinski’s team says that they discovered an oversight in this process that allows a device to be tracked even as its address changes.
Since the payload information updates at a different rate than the address information, the communication blips between Bluetooth devices paint an identifiable pattern. Having discovered this vulnerability, the researchers decided to test out how well it could be used by a third party to track individual devices.
They modified an already existing open-source “sniffer” algorithm (aptly named for its ability to sniff out and track Bluetooth connections) and found, luckily for Android users, that those devices don’t have the identifiable communication blip that would make them vulnerable to tracking. In contrast, Windows 10 and iOS may have something to worry about, since many of those devices do have the communication blips that make them trackable.
They also found that wearables - like a Fitbit - and smartpens do not exhibit any address change or randomization at all, making them extremely susceptible to tracking even without the use of a sniffer algorithm.
Researchers were surprised when they discovered this vulnerability with the Fitbit activity trackers. Restarting the device or draining its battery did not change its access address. This was completely unexpected. If the Fitbit’s access address never changes, then an adversary could potentially track a Fitbit owner.
While this security hole doesn’t sacrifice personal user data, the researchers say a hacker could take advantage of it and create a network of computers - known as a “botnet” - to track an individual device at larger distances, or combine tracking information with more personal data from Wi-Fi accessible IoT devices to build a more detailed picture of a user. The researchers also emphasize that no invasive hacking was necessary to access this leaking Bluetooth information. Because the address and payload information is transmitted as plain text (i.e., unencrypted), their algorithm could simply listen invisibly to the publicly transmitted information.
That said, the authors point out that thwarting this particular security gap can be as simple as turning off and back on your device’s Bluetooth connection, at least in the case of Windows 10 and iOS devices. For smart wearables like the Fitbit or accessory devices like smartpens, the researchers say there isn’t much a user can do about the signals they’re broadcasting.
Take this news with a grain of salt, though. The researchers say that they’re not too worried about the security of Bluetooth devices - yet. As there are tons of ways to track people, with or without Bluetooth. It’s always good to be aware of the kind of signals you’re sending out, especially in the age of IoT. I’m much more skeptical toward these devices that don’t give you control [of Bluetooth], such as smartwatches, where you can just assume they’re broadcasting something all the time.
