Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/17/2019
03:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Bluetooth Bug Enables Tracking on Windows 10, iOS & macOS Devices

Researchers discover a third-party algorithm in multiple high-profile Bluetooth devices exposes users to third-party tracking and data access.

A team of Boston University researchers has discovered a vulnerability in several modern, high-profile Bluetooth devices that can make location and other sensitive data available to third parties.

The vulnerability exists in devices running Windows 10, iOS, and macOS, as well as Fitbit and Apple Watch smartwatches, reports David Starobinski, professor of electrical and computer engineering in the Boston University College of Engineering, and Johannes Becker, a Ph.D. candidate and graduate researcher. They discovered the bug while exploring ways to capture Bluetooth traffic.

"It came by accident when we started to analyze the data," Starobinski says. While researching wireless security and privacy using software-defined radio, they discovered they could track devices that were supposed to be anonymizing their identity to protect the user's location.

Bluetooth Low Energy (BLE), a fairly recent variant of Bluetooth, uses nonencrypted advertising channels to announce a device's presence to other Bluetooth devices. The use of these public channels initially sparked privacy concerns; to address those, devices may use a randomized, periodically changing address instead of their permanent Media Access Control (MAC) address. Manufacturers can decide when, and how often, to randomize the unique address of a device.

"It's a new feature Bluetooth LE introduced to prevent tracking," says Becker. Because BLE lets devices continuously broadcast their presence, randomization is intended to ensure third parties don't track a single address. But researchers found an oversight in this methodology that would allow attackers to track the device type or other data from a manufacturer. Even as randomization changes the device's address, some identifiers of a device don't change with it.

When two Bluetooth devices connect, the "central" device — an iPhone, for example — scans for signals sent by a peripheral device to see if it's available to connect. These signals, or advertisements, contain the device's random address and information about the connection. Researchers found this data updates at a different rate than the random address; as a result, attackers could potentially detect a pattern in the communication between Bluetooth devices.

"In this data that is typically sent in these advertising messages, we found that even without trying to reverse engineer what is in this data, or what this data is for … we can identify chunks in the advertising data that we can abuse as secondary identifiers, whether or not they were meant as identifiers," Becker explains. Data unique to the device could appear random to a bystander but if it remains persistent, it can be treated as an identifier by a cybercriminal.

"If the advertising address is randomized but payloads aren't randomized at the same time, we can use these payload pieces as identifiers to jump to the next random address," Becker says, explaining how a specific device can be tracked over time.

To test their findings on third-party devices, the team used a modified version of a BLE "sniffer" algorithm, which passively listens to Bluetooth advertisements and doesn't actively engage in communication. They found Android devices aren't vulnerable to this type of exploitation as they don't transmit advertising messages containing suitable identifying tokens. However, people using iOS, macOS, Windows 10, and Fitbit devices are exposed, they report.

"We don't exploit any flaws in randomization, but we exploit the fact that some payloads stay constant while the address changes are unique enough to jump to the next address," Becker adds. "For some devices we can extend trackability well beyond what the manufacturer intended." The bug doesn't put personal data at risk; however, researchers warn of the feasibility of BLE-based botnets or large-scale tracking via compromised Wi-Fi routers.

This vulnerability affects different devices in different ways. Windows devices, for example, randomize the address regularly and the content of advertising messages changes every hour or so, says Becker. iOS and macOS devices structure their signals in a different way and can have different types of content. Wearables and Internet of Things devices like Fitbits and smart pens don't show address randomization, a sign that attackers wouldn't need the algorithm to track them.

Becker says researchers did responsible disclosure with Microsoft and Apple in the fall. Both acknowledge this as a problem but have not yet addressed it.

From a technical perspective, this is "actually pretty easy to exploit," says Becker. While researchers were able to test their methodology on devices in their natural state, they couldn't detect whether this is happening in the wild because "it's an entirely passive attack," he adds. It's impossible for people to tell whether their devices are being tracked in this way.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/22/2019 | 8:19:41 AM
Similar problems identified earlier

BlueBorne Attack Highlights Flaws in Linux, IoT Security (Past Article about Bluetooth)

It seems there is some level of consistency from Windows and Linux, so this tells me that the Bluetooth protocol is flawed, we need to include encryption as part of the communication process to ensure secured communication between the receiver and sender.

 
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13157
PUBLISHED: 2019-11-22
nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...