Hardware flaws give Bluetooth chipsets unique fingerprints that can be tracked

While this poses a privacy and security threat, an attacker's ability to exploit it may come down to luck


Researchers at the University of California San Diego have shown for the first time that Bluetooth signals each have an individual, trackable, fingerprint.

In a paper presented at the IEEE Security and Privacy Conference last month, the researchers wrote that Bluetooth signals can also be tracked, given the right tools.

However, there are technological and expertise hurdles that a miscreant would have to clear today to track a person through the Bluetooth signals in their devices, they wrote.

"By their nature, BLE [Bluetooth Low Energy] wireless tracking beacons have the potential to introduce significant privacy risks," the researchers wrote. "For example, an adversary might stalk a user by placing BLE receivers near locations they might visit and then record the presence of the user's beacons."

The researchers – who hail from the school's departments of Computer Science and Engineering and Electrical and Computer Engineering – pointed to the applications governments added to Apple iOS and Android devices used in the COVID-19 pandemic that send out constant Bluetooth signals – or beacons – for contact-tracing efforts.

Other examples include the BLE beaconing that Microsoft and Apple added to their operating systems for such features as tracking lost devices, connecting smartphones to such wireless devices like wireless earphones or speakers, and enabling users to switch more seamlessly between devices.

"Therefore, BLE beacons are now common on many mobile platforms, including: phones, laptops, and smartwatches," they wrote.

According to the paper, these devices constantly transmit signals at a rate of around 500 beacon signals per minute. To address issues of security and privacy, many BLE proximity applications use such measures as cryptographically anonymizing and periodically rotating the identity of a mobile device in their beacons. They will routinely re-encrypt the MAC address of the device, while the COVID-19 contact-tracingtheregister.com applications rotate identifiers so receivers can't link beacons from the same device.

That said, a person could get past these barriers by fingerprinting the device at a lower layer, according to the researchers. Previous studies have shown that wireless transmitters, in Wi-Fi for instance, have small imperfections accidentally introduced during manufacturing that are unique to each device.

The UC San Diego scientists found that similar imperfections in Bluetooth transmitters create distortions that can be used to create a similar unique fingerprint. The fingerprints can be used to track devices and, thus, their users.

That said, it's not an easy process.

An attacker would first need to isolate the target to capture the fingerprint in the wireless transmissions and find the unique physical-layer features of the device's Bluetooth transmitter. After that, they would need to have a receiver in a place the device might be and have it passively sniff for the target's Bluetooth transmissions.

"They will know when the target device is near the receiver when it captures one or more packets that matches the target's physical layer fingerprint," the researchers wrote.

"The more frequently the BLE device transmits, the more likely the attacker is to receive a transmission if a user passes by. Also, the more accurate the fingerprinting technique is, the better the attacker can differentiate the target from other nearby devices."

To do all this, the attacker needs to have a radio receiver that can record raw radio signals. The researchers warned that a hobbyist device in the $150 price range could do the job.

In addition, the researchers had to create an algorithm for the work. Wi-Fi signals have a long and known sequence called the "preamble" – but those for Bluetooth are very short.

The algorithm skips the Bluetooth preamble and instead estimates two different values in the entire signal. This is where the defects can be found and the unique fingerprint identified.

The researchers developed a fingerprinting toolkit and associated methodology they used to assess how many mobile devices could be identified in public areas like coffee shops and public hallways. One test found that 40 percent of 162 devices detected were identifiable via their unique fingerprints; in another experiment 47 percent of 647 mobile devices could be identified.

In another test, they tracked a volunteer who had an iPhone as they walked in and out of their home over an hour-long period. Simulating an attack, they were able to track the person during most of that time.

However, anyone trying to track a person via their mobile device's Bluetooth signals will run into challenges. Among them are that Bluetooth devices have varying chipsets that all have different hardware implementations, and some devices have less powerful Bluetooth transmissions than others. In addition, temperature can affect the Bluetooth fingerprint. The researchers also noted that an attacker would need a certain level of technological expertise to pull this off.

Devices "may be similar to other devices of the same make and model. Or, they may not even have certain identifying features if they are developed with low power radio architectures," they wrote.

"By evaluating the practicality of this attack in the field, particularly in busy settings such as coffee shops, we found that certain devices have unique fingerprints, and therefore are particularly vulnerable to tracking attacks. Others have common fingerprints – they will often be misidentified."

The upshot is that mobile devices can be tracked via their Bluetooth signals, and the equipment necessary isn't overly expensive. "However, an attacker's ability to track a particular target is essentially a matter of luck," the researchers wrote. ®


Other stories you might like

  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading
  • Microsoft gives its partners power to change AD privileges on customer systems – without permission
    Somewhat counterintuitively, this is being done to improve security

    Microsoft has created a window of time in which its partners can – without permission – create new roles for themselves in customers' Active Directory implementations.

    Which sounds bonkers, so let's explain why Microsoft has even entertained the prospect.

    To begin, remember that criminals have figured out that attacking IT service providers offers a great way to find many other targets. Evidence of that approach can be found in attacks on ConnectWise, SolarWinds, Kaseya and other vendors that provide software to IT service providers.

    Continue reading
  • Apple's guy in charge of stopping insider trading guilty of … insider trading
    He had one job

    One of Apple's most senior legal executives, whom the iGiant trusted to prevent insider trading, has admitted to insider trading.

    Gene Levoff pleaded guilty to six counts of security fraud stemming from a February 2019 complaint, according to a Thursday announcement from the US Department of Justice on Thursday.

    Levoff used non-public information about Apple's financial results to inform his trades on Apple stock, earning himself $227,000 and avoiding $377,000 of losses. He was able to access the information as he served as co-chairman of Apple's Disclosure Committee, which reviewed the company's quarterly draft, annual report and Securities and Exchange Commission (SEC) filings.

    Continue reading
  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading

Biting the hand that feeds IT © 1998–2022