Only Android is safe from user identifying Bluetooth exploit

Thanks to a flaw in the Bluetooth communication protocol, users may be exposed to tracking and their ID could be leaked. Any modern devices, with the exception of Android, that sport Bluetooth connectivity could be impacted.

The vulnerability can be used to spy on users even with native OS protections in place. Bluetooth devices on Windows 10, iOS, and macOS machines, including iPhones, iPads, Apple Watch models, MacBooks, Microsoft tablets and Microsoft laptops are all vulnerable.

The Bluetooth exploit was found by David Starobinsky and Johannes Becker, researchers from Boston University.

As per the researchers, many Bluetooth devices will use MAC addresses when advertising their presence to prevent long-term tracking. What the research team found is that it is possible to circumvent the randomness of these addresses to permanently monitor a specific device.

Boston University researchers developed a new algorithm call an address-carryover algorithm in order to “exploit the asynchronous nature of payload and address changes to achieve tracking beyond the address randomization of a device” via the identifying tokens that are usually in place alongside MAC addresses.

The paper states that, “The algorithm does not require message decryption or breaking Bluetooth security in any way, as it is based entirely on public, unencrypted advertising traffic.” 

The main focus of the research is Bluetooth low-energy specification, introduced in 2010 and used in Bluetooth 5.

A testbed of Apple and Microsoft devices were utilized in order to analyze BLE advertising channels and “advertising events” within standard Bluetooth proximities.

Then, to conduct the tests, a custom version BTLE software suite was used. Advertising events and log files were passively collected during the experiment, and this information was then analyzed to elicit data structures which revealed device ID tokens.

“Most computer and smartphone operating systems do implement address randomizations by default as a means to prevent long-term passive tracking, as permanent identifiers are not broadcasted,” the research paper reads. “However, we identified that devices running Windows 10, iOS or macOS regularly transmit advertising events containing custom data structures which are used to enable certain platform-specific interaction with other devices within BLE range.”

It’s these identifiers that can be incorporated into an algorithm to track devices and circumvent address randomization by giving attackers data which the researchers call “a temporary, secondary pseudo-identity.” 

This technique works on Windows, iOS, and macOS systems, but the Android operating system is immune since the OS does not continually send out advertising messages. Instead, the Android SDK scans for advertising nearby — rather than advertising itself in a continuous fashion. 

“Any device which regularly advertises data containing suitable advertising tokens will be vulnerable to the carry-over algorithm if it does not change all of its identifying tokens in sync with the advertising address,” the researchers state. “As Bluetooth adoption is projected to grow from 4.2 to 5.2 billion devices between 2019 and 2022 […] establishing tracking-resistant methods, especially on unencrypted communication channels, is of paramount importance.”

There is a fix for this exploit if your device runs on Windows 10 and you’ve updated that device to at least the Windows 10 May Update (1903).

As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648