1. bookVolume 2020 (2020): Issue 1 (January 2020)
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

Discontinued Privacy: Personal Data Leaks in Apple Bluetooth-Low-Energy Continuity Protocols

Published Online: 07 Jan 2020
Page range: 26 - 46
Received: 31 May 2019
Accepted: 16 Sep 2019
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English

Apple Continuity protocols are the underlying network component of Apple Continuity services which allow seamless nearby applications such as activity and file transfer, device pairing and sharing a network connection. Those protocols rely on Bluetooth Low Energy (BLE) to exchange information between devices: Apple Continuity messages are embedded in the pay-load of BLE advertisement packets that are periodically broadcasted by devices. Recently, Martin et al. identified [1] a number of privacy issues associated with Apple Continuity protocols; we show that this was just the tip of the iceberg and that Apple Continuity protocols leak a wide range of personal information.

Keywords

[1] Jeremy Martin, Douglas Alpuche, Kristina Bodeman, Lamont Brown, Ellis Fenske, Lucas Foppe, Travis Mayberry, Erik Rye, Brandon Sipes, and Sam Teplov. Handoff All Your Privacy – A Review of Apple’s Bluetooth Low Energy Continuity Protocol. Proceedings on Privacy Enhancing Technologies, 2019(4):34–53, 2019.Search in Google Scholar

[2] Google. Nearby. URL https://developers.google.com/nearby/. Accessed: 2019-05-25.Search in Google Scholar

[3] Microsoft. Microsoft Connected Devices Platform Protocol Version 3. 2019. URL https://docs.microsoft.com/enus/openspecs/windows_protocols/ms-cdp/f5a15c56-ac3a-48f9-8c51-07b2eadbe9b4. Accessed: 2019-05-25.Search in Google Scholar

[4] Apple. All your devices. One seamless experience.. URL https://www.apple.com/macos/continuity/. Accessed: 2019-05-25.Search in Google Scholar

[5] Apple. MFi Program.. URL https://developer.apple.com/programs/mfi/. Accessed: 2019-05-25.Search in Google Scholar

[6] Apple. Home accessories. The list keeps getting smarter.. URL https://www.apple.com/ios/home/accessories/. Accessed: 2019-05-25.Search in Google Scholar

[7] Apple. Apple Reports Record First Quarter Results. 2016. URL https://www.apple.com/newsroom/2016/01/26Apple-Reports-Record-First-Quarter-Results/. Accessed: 2019-05-25.Search in Google Scholar

[8] Mathy Vanhoef, Celestin Matte, Mathieu Cunche, Leonardo S. Cardoso, and Frank Piessens. Why MAC Address Randomization is Not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS ‘16, pages 413–424, New York, NY, USA, 2016. ACM. ISBN 978-1-4503-4233-9. 10.1145/2897845.2897883.Search in Google Scholar

[9] Taher Issoufaly and Pierre Ugo Tournoux. BLEB: Bluetooth Low Energy Botnet for large scale individual tracking. In 2017 1st International Conference on Next Generation Computing Applications (NextComp), pages 115–120. IEEE, 2017.Search in Google Scholar

[10] Ben Greenstein, Ramakrishna Gummadi, Jeffrey Pang, Mike Y Chen, Tadayoshi Kohno, Srinivasan Seshan, and David Wetherall. Can Ferris Bueller Still Have His Day Off? Protecting Privacy in the Wireless Era. In HotOS, 2007.Search in Google Scholar

[11] Mathieu Cunche, Mohamed-Ali Kaafar, and Roksana Boreli. Linking wireless devices using information contained in Wi-Fi probe requests. Pervasive and Mobile Computing, 11:56–69, April 2014. ISSN 1574-1192. 10.1016/j.pmcj.2013.04.001.Search in Google Scholar

[12] Aveek K Das, Parth H Pathak, Chen-Nee Chuah, and Prasant Mohapatra. Uncovering Privacy Leakage in BLE Network Traffic of Wearable Fitness Trackers. In Proceedings of the 17th International Workshop on Mobile Computing Systems and Applications, pages 99–104. ACM, 2016.Search in Google Scholar

[13] Bluetooth SIG. Bluetooth Core Specification v4.0. 2010. URL https://www.bluetooth.org/docman/handlers/downloaddoc.ashx?doc_id=456433. Accessed: 2019-05-25.Search in Google Scholar

[14] Johannes K Becker, David Li, and David Starobinski. Tracking Anonymized Bluetooth Devices. Proceedings on Privacy Enhancing Technologies, 2019(3):50–65, 2019.Search in Google Scholar

[15] Guillaume Celosia and Mathieu Cunche. Saving Private Addresses: An Analysis of Privacy Issues in the Bluetooth-Low-Energy Advertising Mechanism. In Proceedings of the 16th EAI International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services. ACM, 2019.Search in Google Scholar

[16] Martin Woolley. Bluetooth Technology Protecting Your Privacy. 2015. URL https://www.bluetooth.com/blog/bluetooth-technology-protecting-your-privacy/. Accessed: 2019-05-25.Search in Google Scholar

[17] IEEE Standard for Local and Metropolitan Area Networks: Overview and Architecture. IEEE Std 802-2014 (Revision to IEEE Std 802-2001), pages 1–74, June 2014. 10.1109/IEEESTD.2014.6847097.Search in Google Scholar

[18] Bluetooth SIG. Bluetooth Core Specification v5.1. 2019. URL https://www.bluetooth.org/docman/handlers/downloaddoc.ashx?doc_id=457080. Accessed: 2019-05-25.Search in Google Scholar

[19] Apple. iOS Security - iOS 12.3. 2019. URL https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf. Accessed: 2019-05-25.Search in Google Scholar

[20] Apple. HomeKit Accessory Protocol Specification (Non-Commercial Version) - Release R2. 2019. URL https://developer.apple.com//homekit/specification/. Accessed: 2019-08-20.Search in Google Scholar

[21] Apple. About AirPrint. 2019. URL https://support.apple.com/en-us/HT201311. Accessed: 2019-05-25.Search in Google Scholar

[22] Ang Cui, Michael Costello, and Salvatore Stolfo. When Firmware Modifications Attack: A Case Study of Embedded Exploitation. 2013.Search in Google Scholar

[23] Apple. Connect and use your AirPods. 2019. URL https://support.apple.com/en-us/HT207010. Accessed: 2019-05-25.Search in Google Scholar

[24] Dorene Kewley, Russ Fink, John Lowry, and Mike Dean. Dynamic approaches to thwart adversary intelligence gathering. In Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX’01, volume 1, pages 176–185. IEEE, 2001.Search in Google Scholar

[25] Apple. Handoff.. URL https://developer.apple.com/handoff/. Accessed: 2019-05-25.Search in Google Scholar

[26] Apple. Use Handoff to continue a task on your other devices. 2019. URL https://support.apple.com/enus/HT209455. Accessed: 2019-05-25.Search in Google Scholar

[27] Jeremy Martin, Travis Mayberry, Collin Donahue, Lucas Foppe, Lamont Brown, Chadwick Riggins, Erik C Rye, and Dane Brown. A Study of MAC Address Randomization in Mobile Devices and When It Fails. Proceedings on Privacy Enhancing Technologies, 2017(4):365–383, 2017.Search in Google Scholar

[28] Lukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz. The leaking battery. In Data Privacy Management, and Security Assurance, pages 254–263. Springer, 2015.Search in Google Scholar

[29] Apple. Use Instant Hotspot to connect to your Personal Hotspot without entering a password. 2019. URL https://support.apple.com/en-us/HT209459. Accessed: 2019-08-20.Search in Google Scholar

[30] Kassem Fawaz, Kyu-Han Kim, and Kang G Shin. Protecting Privacy of BLE Device Users. In USENIX Security Symposium, pages 1205–1221, 2016.Search in Google Scholar

[31] Marianne Bertrand and Emir Kamenica. Coming Apart? Cultural Distances in the United States Over Time. Technical report, National Bureau of Economic Research, 2018.Search in Google Scholar

[32] Le T Nguyen, Yu Seung Kim, Patrick Tague, and Joy Zhang. IdentityLink: User-Device Linking through Visual and RF-Signal Cues. In Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing, pages 529–539. ACM, 2014.Search in Google Scholar

[33] Matthias C Sala, Kurt Partridge, Linda Jacobson, et al. An Exploration into Activity-Informed Physical Advertising Using PEST. In International Conference on Pervasive Computing, pages 73–90. Springer, 2007.Search in Google Scholar

[34] Bogdan Copos, Karl Levitt, Matt Bishop, and Jeff Rowe. Is Anybody Home? Inferring Activity From Smart Home Network Traffic. In 2016 IEEE Security and Privacy Workshops (SPW), pages 245–251. IEEE, 2016.Search in Google Scholar

[35] Joseph Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In 2012 IEEE Symposium on Security and Privacy, pages 538–552. IEEE, 2012.Search in Google Scholar

[36] Levent Demir, Amrit Kumar, Mathieu Cunche, and Cedric Lauradoux. The Pitfalls of Hashing for Privacy. IEEE Communications Surveys & Tutorials, 20(1):551–565, 2018.Search in Google Scholar

[37] Matthias Marx, Ephraim Zimmer, Tobias Mueller, Maximilian Blochberger, and Hannes Federrath. Hashing of personally identifiable information is not sufficient. SICHERHEIT 2018, 2018.Search in Google Scholar

[38] Troy Hunt. The 773 Million Record “Collection #1” Data Breach. 2019. URL https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/. Accessed: 2019-05-25.Search in Google Scholar

[39] Jaap Haitsma and Ton Kalker. A Highly Robust Audio Fingerprinting System. In Ismir, volume 2002, pages 107–115, 2002.Search in Google Scholar

[40] Heiko Knospe. Privacy-enhanced perceptual hashing of audio data. In 2013 International Conference on Security and Cryptography (SECRYPT), pages 1–6. IEEE, 2013.Search in Google Scholar

[41] Gopala Krishna Anumanchipalli, Kishore Prahallad, and Alan W Black. Festvox: Tools for Creation and Analyses of Large Speech Corpora. In Workshop on Very Large Scale Phonetics Research, UPenn, Philadelphia, page 70, 2011.Search in Google Scholar

[42] Sparhandy. Siri commands - endless functions of your virtual assistant. URL https://www.sparhandy.de/apple/info/siri-commands/. Accessed: 2019-05-25.Search in Google Scholar

[43] Hao Fu, Aston Zhang, and Xing Xie. Effective Social Graph Deanonymization Based on Graph Structure and Descriptive Information. ACM Transactions on Intelligent Systems and Technology (TIST), 6(4):49, 2015.Search in Google Scholar

[44] Jon Gunnar Sponas. Things You Should Know About Bluetooth Range. 2018. URL https://blog.nordicsemi.com/getconnected/things-you-should-know-about-bluetooth-range. Accessed: 2019-08-20.Search in Google Scholar

[45] Nina Gerber, Benjamin Reinheimer, and Melanie Volkamer. Investigating People’s Privacy Risk Perception. Proceedings on Privacy Enhancing Technologies, 2019(3):267–288, 2019.Search in Google Scholar

[46] Chrisil Arackaparambil, Sergey Bratus, Anna Shubina, and David Kotz. On the Reliability of Wireless Fingerprinting using Clock Skews. In Proceedings of the third ACM conference on Wireless network security, pages 169–174. ACM, 2010.Search in Google Scholar

[47] Milan Stute, Sashank Narain, Alex Mariotto, Alexander Heinrich, David Kreitschmann, Guevara Noubir, and Matthias Hollick. A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link. page 18, 2019.Search in Google Scholar

[48] Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen. Nearby Threats: Reversing, Analyzing, and Attacking Google’s’ Nearby Connections’ on Android. In Proceedings of the Network and Distributed System Security Symposium (NDSS), February 2019.Search in Google Scholar

[49] Guillaume Celosia and Mathieu Cunche. Detecting smart-phone state changes through a Bluetooth based timing attack. In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks, pages 154–159. ACM, 2018.Search in Google Scholar

[50] Noah Apthorpe, Dillon Reisman, Srikanth Sundaresan, Arvind Narayanan, and Nick Feamster. Spying on the Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic. 2017.Search in Google Scholar

[51] Sandra Siby, Rajib Ranjan Maiti, and Nils Tippenhauer. IoTScanner: Detecting and Classifying Privacy Threats in IoT Neighborhoods. arXiv preprint arXiv:1701.05007, 2017.Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo