Bluetooth technology is used by millions of devices every day, whether it’s your smart speaker, connecting your mobile phone to your in-car system or simply wearing wireless Bluetooth headphones, it’s everywhere and it’s used constantly.
There are three classes of Bluetooth with varying ranges from 100m (commercial) to 1m.
Bluetooth uses the ISM radio frequency and every Bluetooth device is a receiver and a transmitter so they can simultaneously send and receive wireless signals to other gadgets with Bluetooth.
Bluetooth works by using radio-wave technology with short-range transmitters; this is a huge advantage over similar technology such as Wi-Fi, which uses the same technology just with longer ranges which is therefore more prone and easy to attack.
Up to 8 Bluetooth devices can communicate at any one point using one of the 79 channels creating their own mini-computer network. A ‘master’ device sends out a signal to other compatible ‘slave’ devices and a connection is established. They keep the connection secure by shifting the frequency they’re using thousands of times a second.
But is it safe and secure to use Bluetooth?
Every single Bluetooth device has a unique 48-bit address. This will usually be presented in the form of a 12-digit hexadecimal value such as ‘D4:38:9C:9C:36:51’.
Creating a Bluetooth connection between two devices requires 3 steps, the inquiry, connecting and the connection. It is the inquiry stage which can pose a threat to the security of your device.
How is Bluetooth vulnerable?
Bluetooth-enabled devices advertise themselves to other Bluetooth technology in publicly available channels, dubbed as “advertising channels”. This shows they are available for pairing and make connecting with other devices easy.
Previously a device’s permanent Bluetooth MAC address was broadcast in these clear advertising channels, leading to major privacy concerns and the subsequent potential for device-tracking.
In an attempt to remove this problem, device manufacturers were given permission to allow the Bluetooth devices they were manufacturing to use temporary random addresses rather than the device’s permanent address when trying to make a connection with other technology.
However many devices also use dynamic identifying tokens, which are again unique to a specific gadget and remain static long enough to be used as secondary identifiers to the random addresses.It was found by researchers at the Boston University that they were able to successfully track devices because of this flaw.
One identifying token could be linked with a current address as well as the next random address assigned to the device. This provides a bridge between randomised addresses that can be followed by an attacker.
How did the researchers do it?
The team used a ‘packet sniffer’ to analyse the traffic coming across the advertising channels using an address-carryover algorithm.The algorithm listened to incoming addresses and tokens as they were broadcast on the advertising channels when trying to make a Bluetooth connection.
Once the tokens had been identified for a specific device and the advertising address changes, a match is attempted using any of the available captured identifying tokens. In a successful match, the identity of the device can be updated with the incoming address, so that the device was successfully tracked across addresses.
Apple, Microsoft and iPhones were tested however not all devices were susceptible to this flaw and it was found that Android devices were not affected at all.It was found that the algorithm succeeded consistently on Windows 10 and less frequently on Apple operating systems according to the report.Apple devices have the ability to synchronise updates of identifying tokens with address randomisation, but they occasionally fail. Any device is vulnerable to the carry-over algorithm if it does not change all of its identifying tokens in sync with the advertising address.
What does this mean for the future of Bluetooth technology?
The use of Bluetooth technology is expected to grow from 4.2 to 5.2 billion devices in the next three years. With over half a billion of these new Bluetooth connections to be used by wearables and other data-focused connected devices.
The good news is mainstream Bluetooth technology used in everyday items like smartphones, Bluetooth headphones or your smart watch only have a range of 10-20 metres. However the bad news is that Bluetooth ranges can be extended using a botnet. Combine this with compromised Wi-Fi routers and the ability to track one device becomes global.
In addition to this other metadata such as online transactions, facial recognition and other digital traces could easily be combined with Bluetooth tracking to generate an exact location profile of one individual.
How can I avoid this problem?
For Windows 10 devices periodically disable the Bluetooth connection through the Windows Device Manager and re-enable it again. This will reset both the advertising address and the token.If you work with an Apple device, switching Bluetooth off and on in the System Settings (or in the Menu Bar on macOS) will randomise the address and change the payload.