COLUMBUS, Ohio — Mobile devices that use Bluetooth are vulnerable to a glitch that could allow attackers to track a user’s location, a new study has found.
The research revolves around Bluetooth Low Energy (BLE), a type of Bluetooth that uses less energy compared to Bluetooth Classic (an earlier Bluetooth generation). Billions of people rely on smartwatches and smartphones for this type of wireless communication for all types of activities, from entertainment and sports to retail and healthcare.
However, due to a design flaw in the Bluetooth protocol, users’ privacy could be at risk, he said Yue ZhangLead author of the study and postdoc in Computer Science and Engineering from Ohio State University. Zhang recently presented the findings at the ACM Conference on Computer and Communications Security (ACM CCS 2022). The study also received an honorable mention for “best paper” at the conference.
Zhang and his advisor, Zhiqiang Lin, Professor of Computer Science and Engineering at Ohio State, proved the threat by testing over 50 Bluetooth devices on the market and four BLE development boards. They reported the bug to key stakeholders in the Bluetooth industry, including the Bluetooth Special Interest Group (SIG) (the organization that oversees the development of Bluetooth standards), hardware vendors like Texas Instruments and Nordic, and operating system vendors like Google and Apple and Microsoft. Google classified their findings as a serious design flaw and awarded the researchers a bug bounty.
But the good news is that Zhang and Lin also came up with a possible solution to the problem, which they successfully tested.
Bluetooth devices have so-called MAC addresses – a series of random numbers that uniquely identify them in a network. About every 20 milliseconds, an idle BLE device sends out a signal that advertises its MAC address to other nearby devices that it might connect to.
The study identifies a flaw that could allow attackers to observe how these devices interact with the network and then either passively or actively collect and analyze the data to violate a user’s privacy.
“This is a new finding that no one has ever noticed,” Zhang said. “We show that by broadcasting a MAC address to the device’s location, an attacker might not be able to physically see you, but they would know you were nearby.”
One of the reasons researchers are concerned about such a scenario is that a captured MAC address could be used in what is known as a replay attack, which could allow the attacker to monitor the user’s behavior, trace where where the user has been in the past or even find out the real-time location of the user.
“Bluetooth SIG has certainly been made aware of the threat of MAC address tracking, and to protect devices from being tracked by bad actors, a solution called MAC address randomization has been used since 2010,” Lin said.
Later in 2014, Bluetooth introduced a new feature called “allow list” which only allows approved devices to connect and prevents private devices from accessing unknown ones. But according to the study, this whitelist feature actually introduces a side channel for device tracking.
Zhang and Lin proved that the new tracking threat is real by developing a novel attack strategy they dubbed Bluetooth Address Tracking (BAT). The researchers used a customized smartphone to hack into more than 50 Bluetooth devices – most of them their own devices – and showed that even with frequent MAC randomization, an attacker can still link a victim’s data through BAT attacks and could play back.
So far, BAT attacks are undefeated, but the team has prototyped a defensive countermeasure. Their solution, dubbed Securing Address for BLE (SABLE), is to add an unpredictable sequence number, essentially a timestamp, to the randomized address to ensure each MAC address can only be used once to prevent the replay attack . The study found that attackers were successfully prevented from connecting to victim devices.
The results of her experiment showed that SABLE only slightly affects the battery drain and overall device performance, but Lin hopes to use the new attack and its countermeasure to raise awareness in the community. “The lesson from this study is that as you add new features to existing designs, you should review previous assumptions to see if they still apply.”
This work was supported by the National Science Foundation.
Contact: Zhiqiang Lin, Zlin@cse.ohio-state.edu
Written by: Tatyana Woodall, firstname.lastname@example.org.
subject of research
When good turns bad: tracking Bluetooth low energy devices via an allowlist-based side channel and its countermeasure
Article publication date
November 7, 2022
Disclaimer: AAAS and EurekAlert! are not responsible for the accuracy of the press releases published on EurekAlert! by contributing institutions or for the use of information about the EurekAlert system.
#Study #uncovers #security #privacy #threats #Bluetooth #devices