Norwegian student tracks Bluetooth headset wearers by wardriving around Oslo on a bicycle

A Norwegian student who went wardriving around Oslo on a pushbike has discovered that several popular models of Bluetooth headphones don't implement MAC address randomisation – meaning they can be used to track their wearers.

Norwegian state broadcaster NRK revealed Bjorn Hegnes' findings after helping him analyse Bluetooth emissions from a dozen different models of audio headphones, contained within 1.7 million Bluetooth messages he intercepted. Hegnes was collecting the data as part of his first year project at Norof university.

The analysis was possible because Bluetooth devices generally default to broadcasting their unique identities. Yet it appeared that of all the headphones picked up by Hegnes, none of them implemented address randomisation.

Without that randomisation, it was trivial for the devices to be pinged repeatedly, revealing their wearers' precise location as they travelled around the city of Oslo.

"The data were collected by Hegnes [while travelling] by bike throughout Oslo with a Bluetooth receiver. The first couple of trips were used to test the device and the procedures, then he endeavored on a 300km-long trip over 12 days. The antenna picked up Bluetooth messages within a radius of 100 metres," reported NRK this week.

Hegnes' cycle trips discovered 9,149 unique Bluetooth transmitters, including 129 headsets that were picked up for more than 24 hours.

MAC address randomisation was spurred on by the revelations leaked by former NSA sysadmin Edward Snowden, though opinions vary on its usefulness; the US Naval Academy (perhaps predictably) declared in 2017 that it wasn't really worthwhile doing. More recent research showed that modern devices are good at address randomisation.

NRK prepared some maps, available on its website, showing where particular device owners had been travelling around the Norwegian capital. It also contacted one of the device owners, having identified him from his headset. He told journalist Martin Gundersen: "It is unpleasant knowing that others that you don't know are able to track you via Bluetooth. It never crossed my mind."

• 'No peeing towards Russia' sign appears on country's Arctic border with Norway
• Snowden was right, rules human rights court as it declares UK spy laws broke ECHR
• Tesla owners win legal fight after software update crippled older Model S batteries
• BrakTooth vulnerabilities put Bluetooth users at risk – and some devices are going unpatched

Jake Moore, security specialist at Slovakian infosec firm ESET, told The Register the implications of Hegnes' findings were worrying for the privacy-conscious.

"With the boom in smart devices over the last decade," said Moore, "it is extremely concerning that this hasn't been considered when privacy is taking a powerful turn currently. The post-Snowden era makes these findings even more worrisome too."

Back in 2014 the Internet Engineering Taskforce (IETF) vowed to toughen its protocols to prevent trivially easy spying of the type uncovered by NSA whistleblower Snowden. The following year MAC address randomisation emerged as one of the concrete wins from that effort.

ESET's Moore continued: "Many people will no doubt continue to use headphones and other technologies which scarcely adapt, apart from those with minimal additions, meaning people could be at risk still for years to come. Few companies push out security updates to IoT devices and even fewer patch such devices even if they are available."

Application security expert Sean Wright told us:

"The risks of this are clear. Bluetooth headsets follow us everywhere – on our commute, in the gym or the office, on our way to meet friends – so the idea that someone can use them to track your location is sinister to say the least. What if an abusive partner or stalker uses this finding to their advantage to silently track their victim? Let’s not even get into the potential danger it could pose for children and teenagers.

"The key question I have is whether the information that’s being pulled from these devices is centrally collected. If it is, then the risk to the general public is significant as it’ll be a lot easier for those with malicious intent to get their hands on it. Vendors need to start randomising the addresses of devices to protect their users’ privacy, otherwise I have no doubt that we’ll see this kind of thing exploited in the future," he said.

While the British government (closely followed by the EU) is pushing ahead with plans to force better security standards into IoT and consumer devices, that push was focused on interactive devices with default admin passwords.

A set of Bluetooth earbuds or headphones isn't what springs to mind when you think of an IoT device – yet it can apparently still pose a privacy risk. ®