Bluetooth connecting to multiple devices

Internet-connected devices are opening up a wide range of applications from mobile devices to home appliances and wearables, but these devices are also opening up new areas of attack. Researchers from Boston University found that a third-party algorithm can track the location of some Bluetooth devices such as Fitbits, smart pens and even Windows and iOS devices.

“[The vulnerability] is pretty strong in the sense that the attacker or observer doesn’t need to actively engage with the victims to track. They just need to sniff data to do the tracking, and it’s virtually impossible to know if someone is doing that sniffing,” said David Starobinski, a professor of electrical and computer engineering at BU who led the research.

According to Starobinski, the same features used to authenticate or identify can be used by third parties to track users. “On the one hand, you can authenticate because you have these unique signatures of your devices. But on the other hand, you also have the issue that the same feature can be used by a third party to track you. So, it’s a double-edged sword,” he explained.

Starobinski and his team found that the problem is with the way Bluetooth devices communicate in order to establish a connection.

A central device begins scanning for signals sent by the peripheral device that indicate it’s available for connection and these signals contain a unique address similar to the IP address of a computer and a payload containing data about the connection.

Starobinski’s team was able to modify a sniffing algorithm and discovered that a device can be tracked even as its address changes. The vulnerability cannot extract personal data on its own, but it can be exploited to track an individual device at large distances.

Windows and iOS devices are more susceptible to this kind of attack because the devices use an identifiable blip to establish an identifiable Bluetooth pattern.

Starobinski said the issue may be pervasive with IoT in general and in this particular vulnerability, the major challenge for device providers is to discover whether to patch the software of the central device or to additionally adjust the firmware in peripheral devices that are being connected through Bluetooth, such as a mouse or keyboard.

“[Bluetooth] has a complex protocol and complexity is the enemy of security. A lot of manufacturers, given the limited resources available, mostly look at the features and how we cannot consider all the possible abuses that lead to this problem,” said Starobinski.

This isn’t the first time Bluetooth has been used to perform a hack attack. In 2017 the BlueBorne flaw was discovered by device security firm Armis. BlueBorne “allows attackers to take control of devices, access corporate data and networks, penetrate secure ‘air-gapped’ networks, and spread malware laterally to adjacent devices,” according to the Armis website.

“Who knows what people will use Bluetooth for in the future? Generally, making our technological foundations secure now makes it easier to build awesome stuff in the future with some confidence in the shoulders we stand on,” said Jeff Williams, OWASP founder and the co-founder and CTO of Contrast Security.

“There are tons of ways to track people, with or without Bluetooth,” said Johannes Becker, a BU graduate researcher on the team. “It’s always good to be aware of the kind of signals you’re sending out, especially in the age of IoT.”