A Bluetooth flaw has been discovered that would allow a bad actor to track a wide range of devices — including iPhones, iPads, Macs, and Apple Watches.
Other vulnerable devices are laptops and tablets running Windows 10, and Fitbit wearables. Android devices are, however, not at risk …
TNW reports on the vulnerability discovered by Boston University researchers.
Researchers from Boston University (BU) have discovered a flaw in the Bluetooth communication protocol that could expose most devices to third-party tracking and leak identifiable data […]
The vulnerability allows an attacker to passively track a device by exploiting a flaw in the way Bluetooth Low Energy (BLE) is implemented to extract identifying tokens like the device type or other identifiable data from a manufacturer […]
To make pairing between two devices easy, BLE uses public non-encrypted advertising channels to announce their presence to other nearby devices. The protocol originally attracted privacy concerns for broadcasting permanent Bluetooth MAC addresses of devices — a unique 48-bit identifier — on these channels.
However, BLE tried to solve the problem by letting device manufacturers use a periodically changing, randomized address instead of their permanent Media Access Control (MAC) address.
The vulnerability discovered by BU researchers exploits this secondary random MAC address to successfully track a device. The researchers said the “identifying tokens” present in advertising messages are also unique to a device and remain static for long enough to be used as secondary identifiers besides the MAC address.
In other words, it’s possible to link the current random address to the next one, and thus identify it as the same device. It can then be tracked indefinitely — though only at the relatively short range of Bluetooth signals.
The researchers do have a proposed solution for the security problem.
To protect devices from address-carryover attacks, the researchers suggest device implementations should synchronize payload changes with MAC address randomizations.
With Bluetooth device adoption growing at a massive scale, they caution that “establishing tracking-resistant methods, especially on unencrypted communication channels, is of paramount importance.”
It’s unclear whether Apple and other companies affected would be able to implement this change in an over-the-air update, but in the meantime, if you are ever concerned about your device being tracked, there is a simple workaround.
Switching Bluetooth off and on in the System Settings (or in the Menu Bar on macOS) will randomize the address and change the payload.
You can read the full paper here.
The discovery follows another recent one affecting Macs: a vulnerability in several video conferencing apps that could allow the webcam to be remotely activated.