1. bookVolume 2019 (2019): Issue 3 (July 2019)
Zeitschriftendaten
License
Format
Zeitschrift
Erstveröffentlichung
16 Apr 2015
Erscheinungsweise
4 Hefte pro Jahr
Sprachen
Englisch
access type Open Access

Tracking Anonymized Bluetooth Devices

Online veröffentlicht: 12 Jul 2019
Seitenbereich: 50 - 65
Eingereicht: 30 Nov 2018
Akzeptiert: 16 Mar 2019
Zeitschriftendaten
License
Format
Zeitschrift
Erstveröffentlichung
16 Apr 2015
Erscheinungsweise
4 Hefte pro Jahr
Sprachen
Englisch

Bluetooth Low Energy (BLE) devices use public (non-encrypted) advertising channels to announce their presence to other devices. To prevent tracking on these public channels, devices may use a periodically changing, randomized address instead of their permanent Media Access Control (MAC) address. In this work we show that many state-of-the-art devices which are implementing such anonymization measures are vulnerable to passive tracking that extends well beyond their address randomization cycles. We show that it is possible to extract identifying tokens from the pay-load of advertising messages for tracking purposes. We present an address-carryover algorithm which exploits the asynchronous nature of payload and address changes to achieve tracking beyond the address randomization of a device. We furthermore identify an identity-exposing attack via a device accessory that allows permanent, non-continuous tracking, as well as an iOS side-channel which allows insights into user activity. Finally, we provide countermeasures against the presented algorithm and other privacy flaws in BLE advertising.

[1] Apple Inc. iBeacon, 2014.Search in Google Scholar

[2] Gianmarco Baldini, Raimondo Giuliani, Gary Steri, and Ricardo Neisse. Physical Layer Authentication of Internet of Things Wireless Devices Through Permutation and Dispersion Entropy. In 2017 Global Internet of Things Summit (GIoTS), pages 1–6. IEEE, 6 2017.Search in Google Scholar

[3] Bluetooth Special Interest Group (SIG). Company Identifiers.Search in Google Scholar

[4] Bluetooth Special Interest Group (SIG). Generic Access Profile.Search in Google Scholar

[5] Bluetooth Special Interest Group (SIG). Service Discovery.Search in Google Scholar

[6] Bluetooth Special Interest Group (SIG). Bluetooth Core Specification. v4.0. Bluetooth Special Interest Group (SIG), 2010.Search in Google Scholar

[7] Bluetooth Special Interest Group (SIG). Supplement to the Bluetooth Core Specification. Bluetooth Special Interest Group (SIG), 2015.Search in Google Scholar

[8] Bluetooth Special Interest Group (SIG). Bluetooth Core Specification. v5.0. Bluetooth Special Interest Group (SIG), 2016.Search in Google Scholar

[9] Bluetooth Special Interest Group (SIG). Bluetooth Market Update 2018. Technical report, Bluetooth Special Interest Group (SIG), 2018.Search in Google Scholar

[10] Bluetooth Special Interest Group (SIG). Core Specifications, 2018.Search in Google Scholar

[11] Bluetooth Special Interest Group (SIG). Our History, 2018.Search in Google Scholar

[12] Britt Cyr, Webb Horn, Daniela Miao, and Michael Specter. Security Analysis of Wearable Fitness Devices (Fitbit). Massachusetts Institute of Technology, pages 1–14, 2014.Search in Google Scholar

[13] D.A. Dai Zovi and S.A. Macaulay. Attacking Automatic Wireless Network Selection. In Proceedings from the Sixth Annual IEEE Systems, Man and Cybernetics (SMC) Information Assurance Workshop, 2005., volume 2005, pages 365–372. IEEE, 2005.Search in Google Scholar

[14] Dino A Dai Zovi. KARMA Attacks Radioed Machines Automatically, 2005.Search in Google Scholar

[15] Boris Danev, Davide Zanetti, and Srdjan Capkun. On Physical-Layer Identification of Wireless Devices. ACM Computing Surveys, 45(1):1–29, 2012.Search in Google Scholar

[16] Aveek K. Das, Parth H. Pathak, Chen-Nee Chuah, and Prasant Mohapatra. Uncovering Privacy Leakage in BLE Network Traffic of Wearable Fitness Trackers. In Proceedings of the 17th International Workshop on Mobile Computing Systems and Applications - HotMobile ’16, pages 99–104, New York, New York, USA, 2016. ACM Press.Search in Google Scholar

[17] Byron C Drachman and Michael J Cloud. Inequalities: With Applications to Engineering. Springer-Verlag, 1998.Search in Google Scholar

[18] Google. Eddystone.Search in Google Scholar

[19] Google Developers. BluetoothLeAdvertiser.Search in Google Scholar

[20] Robin Heydon. An Introduction to Bluetooth Low Energy, 2013.Search in Google Scholar

[21] IEEE Computer Society. IEEE Standard for Local and Metropolitan Area Networks - Link Aggregation. IEEE Standards Association, 2008.Search in Google Scholar

[22] Taher Issoufaly and Pierre Ugo Tournoux. BLEB: Bluetooth Low Energy Botnet for large scale individual tracking. 2017 1st International Conference on Next Generation Computing Applications, NextComp 2017, pages 115–120, 2017.Search in Google Scholar

[23] Markus Jakobsson and Susanne Wetzel. Security Weaknesses in Bluetooth. In David Naccache, editor, Topics in Cryptology — CT-RSA 2001, pages 176–191, Berlin, Heidelberg, 2001. Springer.Search in Google Scholar

[24] Mohamed Imran Jameel and Jeffrey Dungen. Low-Power Wireless Advertising Software Library for Distributed M2M and Contextual IoT. In 2015 IEEE 2nd World Forum on Internet of Things (WF-IoT), pages 597–602. IEEE, 12 2015.Search in Google Scholar

[25] Xianjun Jiao. BTLE, 2014.Search in Google Scholar

[26] Heikki Karvonen, Carlos Pomalaza-Ráez, Konstantin Mikhaylov, Matti Hämäläinen, and Jari Iinatti. Experimental Performance Evaluation of BLE 4 Versus BLE 5 in Indoors and Outdoors Scenarios. In Giancarlo Fortino and Zhelong Wang, editors, Advances in Body Area Networks I, pages 235–251. Springer, Cham, 2019.Search in Google Scholar

[27] Jeremy Martin, Travis Mayberry, Collin Donahue, Lucas Foppe, Lamont Brown, Chadwick Riggins, Erik C. Rye, and Dane Brown. A Study of MAC Address Randomization in Mobile Devices and When it Fails. Proceedings on Privacy Enhancing Technologies, 2017(4):365–383, 10 2017.Search in Google Scholar

[28] Radius Networks. AltBeacon, 2015.Search in Google Scholar

[29] reelyActive. reelyActive-git.Search in Google Scholar

[30] reelyActive. Sniffypedia, 2018.Search in Google Scholar

[31] Pierre Rouveyrol, Patrice Raveneau, and Mathieu Cunche. Large Scale Wi-Fi Tracking Using a Botnet of Wireless Routers. Workshop on Surveillance & Technology, 2015.Search in Google Scholar

[32] Krishna Sampigethaya, Leping Huang, Mingyan Li, Radha Poovendran, Kanta Matsuura, and Kaoru Sezaki. CARAVAN: Providing Location Privacy for VANET. Technical report, Washington Univ Seattle Dept of Electrical Engineering, 2005.Search in Google Scholar

[33] Dominic Spill and Andrea Bittau. BlueSniff: Eve meets Alice and Bluetooth. WOOT ’07 Proceedings of the first USENIX workshop on Offensive Technologies, page 10, 2007.Search in Google Scholar

[34] Mathy Vanhoef, Célestin Matte, Mathieu Cunche, Leonardo S. Cardoso, and Frank Piessens. Why MAC Address Randomization is not Enough. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security - ASIA CCS ’16, pages 413–424, New York, New York, USA, 2016. ACM Press.Search in Google Scholar

[35] virtualabs. probeZero, 2016.Search in Google Scholar

[36] Tien Dang Vo-Huu, Triet Dang Vo-Huu, and Guevara Noubir. Fingerprinting Wi-Fi Devices Using Software Defined Radios. In Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks - WiSec ’16, pages 3–14, New York, New York, USA, 2016. ACM Press.Search in Google Scholar

[37] Isabel Wagner and David Eckhoff. Technical Privacy Metrics. ACM Computing Surveys, 51(3):1–38, 2018.Search in Google Scholar

[38] Martin Woolley. Bluetooth Technology Protecting Your Privacy, 2015.Search in Google Scholar

[39] Qiang Xu, Rong Zheng, Walid Saad, and Zhu Han. Device Fingerprinting in Wireless Networks: Challenges and Opportunities. IEEE Communications Surveys & Tutorials, 18(1):94–104, 2016.Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo