Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/17/2019
03:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Bluetooth Bug Enables Tracking on Windows 10, iOS & macOS Devices

Researchers discover a third-party algorithm in multiple high-profile Bluetooth devices exposes users to third-party tracking and data access.

A team of Boston University researchers has discovered a vulnerability in several modern, high-profile Bluetooth devices that can make location and other sensitive data available to third parties.

The vulnerability exists in devices running Windows 10, iOS, and macOS, as well as Fitbit and Apple Watch smartwatches, reports David Starobinski, professor of electrical and computer engineering in the Boston University College of Engineering, and Johannes Becker, a Ph.D. candidate and graduate researcher. They discovered the bug while exploring ways to capture Bluetooth traffic.

"It came by accident when we started to analyze the data," Starobinski says. While researching wireless security and privacy using software-defined radio, they discovered they could track devices that were supposed to be anonymizing their identity to protect the user's location.

Bluetooth Low Energy (BLE), a fairly recent variant of Bluetooth, uses nonencrypted advertising channels to announce a device's presence to other Bluetooth devices. The use of these public channels initially sparked privacy concerns; to address those, devices may use a randomized, periodically changing address instead of their permanent Media Access Control (MAC) address. Manufacturers can decide when, and how often, to randomize the unique address of a device.

"It's a new feature Bluetooth LE introduced to prevent tracking," says Becker. Because BLE lets devices continuously broadcast their presence, randomization is intended to ensure third parties don't track a single address. But researchers found an oversight in this methodology that would allow attackers to track the device type or other data from a manufacturer. Even as randomization changes the device's address, some identifiers of a device don't change with it.

When two Bluetooth devices connect, the "central" device — an iPhone, for example — scans for signals sent by a peripheral device to see if it's available to connect. These signals, or advertisements, contain the device's random address and information about the connection. Researchers found this data updates at a different rate than the random address; as a result, attackers could potentially detect a pattern in the communication between Bluetooth devices.

"In this data that is typically sent in these advertising messages, we found that even without trying to reverse engineer what is in this data, or what this data is for … we can identify chunks in the advertising data that we can abuse as secondary identifiers, whether or not they were meant as identifiers," Becker explains. Data unique to the device could appear random to a bystander but if it remains persistent, it can be treated as an identifier by a cybercriminal.

"If the advertising address is randomized but payloads aren't randomized at the same time, we can use these payload pieces as identifiers to jump to the next random address," Becker says, explaining how a specific device can be tracked over time.

To test their findings on third-party devices, the team used a modified version of a BLE "sniffer" algorithm, which passively listens to Bluetooth advertisements and doesn't actively engage in communication. They found Android devices aren't vulnerable to this type of exploitation as they don't transmit advertising messages containing suitable identifying tokens. However, people using iOS, macOS, Windows 10, and Fitbit devices are exposed, they report.

"We don't exploit any flaws in randomization, but we exploit the fact that some payloads stay constant while the address changes are unique enough to jump to the next address," Becker adds. "For some devices we can extend trackability well beyond what the manufacturer intended." The bug doesn't put personal data at risk; however, researchers warn of the feasibility of BLE-based botnets or large-scale tracking via compromised Wi-Fi routers.

This vulnerability affects different devices in different ways. Windows devices, for example, randomize the address regularly and the content of advertising messages changes every hour or so, says Becker. iOS and macOS devices structure their signals in a different way and can have different types of content. Wearables and Internet of Things devices like Fitbits and smart pens don't show address randomization, a sign that attackers wouldn't need the algorithm to track them.

Becker says researchers did responsible disclosure with Microsoft and Apple in the fall. Both acknowledge this as a problem but have not yet addressed it.

From a technical perspective, this is "actually pretty easy to exploit," says Becker. While researchers were able to test their methodology on devices in their natural state, they couldn't detect whether this is happening in the wild because "it's an entirely passive attack," he adds. It's impossible for people to tell whether their devices are being tracked in this way.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/22/2019 | 8:19:41 AM
Similar problems identified earlier

BlueBorne Attack Highlights Flaws in Linux, IoT Security (Past Article about Bluetooth)

It seems there is some level of consistency from Windows and Linux, so this tells me that the Bluetooth protocol is flawed, we need to include encryption as part of the communication process to ensure secured communication between the receiver and sender.

 
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5034
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
CVE-2019-5035
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...
CVE-2019-5036
PUBLISHED: 2019-08-20
An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially cr...
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...