Mobile devices using Bluetooth are vulnerable to glitches that could allow attackers to track a user’s location, according to a new study. The research is centered around Bluetooth Low Energy (BLE), a type of Bluetooth that consumes less energy compared to Bluetooth Classic (the previous generation Bluetooth). Thanks to smartwatches and smartphones, billions of people rely on this type of wireless communication for everything from entertainment and sports to retail and healthcare.

However, Yue Zhang, a lead author of the study and a PhD student in computer science and engineering at Ohio State University, said that users’ privacy may be at risk due to a design flaw in the Bluetooth protocol. Zhang recently presented the results at the ACM Computer and Communications Security Conference (ACM CCS 2022). The study also received an honorable mention as “best article” at the conference.

Zhang and his advisor, Zhiqiang Lin, professor of computer science and engineering at Ohio State, proved the threat by testing four BLE development boards as well as more than 50 Bluetooth devices on the market. They reported the bug to key stakeholders in the Bluetooth industry, including the Bluetooth Special Interest Group (SIG) (the organization that oversees the development of Bluetooth standards), hardware vendors like Texas Instruments and Nordic, and operating system vendors like Google and Apple. and Microsoft.

Google considered their findings a serious design flaw and awarded a bug bounty to the researchers. But the good news is that Zhang and Lin have also developed a potential solution to the problem that they have successfully tested. Bluetooth devices have MAC addresses, a string of random numbers that uniquely identify them on the network. Approximately every 20 milliseconds, an idle BLE device sends a signal advertising its MAC address to other nearby devices to which it can connect.

The research identifies a flaw that could allow attackers to observe how these devices interact with the network and then collect and analyze data to passively or actively compromise user privacy.

“This is a new finding that no one had noticed before,” said Zhang. “By passing the MAC address to the device’s location, we show that an attacker may not be able to see you physically, but will know you are at that location.”

One of the reasons researchers are worried about this scenario is that the compromised MAC address can be used by an attacker to track a user’s behavior, track the user’s whereabouts in the past, and even in a replay attack. Determine the real-time location of the user.

“The Bluetooth SIG has certainly recognized the threat of MAC address tracking and has been using a solution called MAC address randomization since 2010 to protect devices from being tracked by attackers,” Lin said.

Later in 2014, Bluetooth introduced a new feature called whitelisting, which allows only approved devices to connect and prevents private devices from accessing unknown devices. But according to research, this whitelist feature actually offers a side channel for device tracking.

Zhang and Lin created a new attack strategy they call Bluetooth Address Tracing (BAT), proving that the new tracking threat is real. The researchers used a customized smartphone to hack more than 50 Bluetooth devices, most of which belonged to their own, and showed that in BAT attacks, an attacker was able to connect and regenerate the victim’s data, even with frequent MAC random selection.

BAT attacks are currently invincible, but the team has built a prototype defense against the west. His solution, called Secure Address BLE (SABLE), involves adding an unpredictable sequence number, essentially a timestamp, to a random address to ensure that each MAC address can only be used once to prevent re-attack. The study noted that attackers were able to successfully stop the victim from connecting to their device.

The results of his experiments showed that SABLE only slightly affects battery consumption and overall device performance, but Lin hopes to use the new attack and countermeasure to raise awareness in the community. “The lesson learned from this study is that when you add new features to existing designs, you have to revisit previous assumptions to see if they still hold.” Source