Only Android is safe from user identifying
Thanks to a flaw in the Bluetooth
communication protocol, users may be exposed to tracking and their ID could be
leaked. Any modern devices, with the exception of Android, that sport Bluetooth
connectivity could be impacted.
The vulnerability can be used to spy on
users even with native OS protections in place. Bluetooth devices on Windows
10, iOS, and macOS machines, including iPhones, iPads, Apple Watch models,
MacBooks, Microsoft tablets and Microsoft laptops are all vulnerable.
The Bluetooth exploit was found by David
Starobinsky and Johannes Becker, researchers from Boston University.
As per the researchers, many Bluetooth
devices will use MAC addresses when advertising their presence to prevent
long-term tracking. What the research team found is that it is possible to
circumvent the randomness of these addresses to permanently monitor a specific
Boston University researchers developed a
new algorithm call an address-carryover algorithm in order to “exploit the
asynchronous nature of payload and address changes to achieve tracking beyond
the address randomization of a device” via the identifying tokens that are
usually in place alongside MAC addresses.
The paper states that, “The algorithm does not require
message decryption or breaking Bluetooth security in any way, as it is based
entirely on public, unencrypted advertising traffic.”
The main focus of the research is Bluetooth low-energy
specification, introduced in 2010 and used in Bluetooth 5.
A testbed of Apple and Microsoft devices were utilized in order
to analyze BLE advertising channels and “advertising events” within standard
Then, to conduct the tests, a custom version BTLE software suite
was used. Advertising events and log files were passively collected during the
experiment, and this information was then analyzed to elicit data structures
which revealed device ID tokens.
“Most computer and smartphone operating systems do
implement address randomizations by default as a means to prevent long-term
passive tracking, as permanent identifiers are not broadcasted,” the research
paper reads. “However, we identified that devices running Windows 10, iOS
or macOS regularly transmit advertising events containing custom data
structures which are used to enable certain platform-specific interaction with
other devices within BLE range.”
It’s these identifiers that can be incorporated into an
algorithm to track devices and circumvent address randomization by giving
attackers data which the researchers call “a temporary, secondary
This technique works on Windows, iOS, and macOS systems, but the
Android operating system is immune since the OS does not continually send out
advertising messages. Instead, the Android SDK scans for advertising nearby —
rather than advertising itself in a continuous fashion.
“Any device which regularly advertises data containing
suitable advertising tokens will be vulnerable to the carry-over algorithm if
it does not change all of its identifying tokens in sync with the advertising
address,” the researchers state. “As Bluetooth adoption is projected
to grow from 4.2 to 5.2 billion devices between 2019 and 2022 […]
establishing tracking-resistant methods, especially on unencrypted
communication channels, is of paramount importance.”
There is a fix for this exploit if your device runs on Windows 10 and you’ve updated that device to at least the Windows 10 May Update (1903).
As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648