Columbus, Ohio- Bluetooth devices are more susceptible to attacks that can track user location through a glitch. Researchers from Ohio State University reveal that attackers can interact with the network and collect a user’s private data.
Bluetooth on smartphones and smartwatches helps millions of people communicate wirelessly, whether it’s talking, texting, shopping, or just keeping up with sports and entertainment. Yue Zhang, lead author of the study, says this is the result of a design flaw in the technology. Zhang and his adviser, Zhiqiang Lin, were able to verify the threat by testing more than 50 devices on the market and four Bluetooth Low Energy (BLE) development boards – which consume less power. They created an attack strategy called Bluetooth Address Tracking (BAT) and used a personalized smartphone to hack devices.
Bluetooth devices have MAC addresses, which are a series of random unique numbers that identify them on a network to allow connection between devices. Compromised MAC addresses make users vulnerable to replay attacks, which can help attackers monitor device user behavioreven in real time.
“Bluetooth SIG has certainly been made aware of the threat of MAC address tracking, and to protect devices from being tracked by bad actors, a solution called MAC address randomization has been used since 2010,” Lin explains in a university outing.
They reported the issue to the Bluetooth Special Interest Group (SIG), which oversees Bluetooth standards, hardware vendors including Texas Instruments and Nordic, and operating system vendors including Google, Apple and Microsoft. Google was especially grateful for the discovery, rating the findings as high-severity and offering researchers a bug bounty award.
“This is a new discovery that no one had ever noticed before,” says Zhang. “We show that by broadcasting a MAC address to the device’s location, an attacker may not be able to physically see you, but will know you are in the area.”
In 2014, Bluetooth announced a new feature called “allowlist” that allows trusted devices to be connected, while limiting access from private devices to unknown devices. Unintentionally, this feature provides a side channel that acts as a gateway for device tracking. Fortunately, Zhang and Lin have a possible solution. The team developed a prototype that thwarts this attack, called Securing Address for BLE (SABLE). This adds an unpredictable number set to the random address which only allows MAC addresses to use them once and prevents them from being tracked.
The researchers were able to stop attackers through this project. Additionally, the program has minimal downsides, only slightly reducing battery life and overall performance.
“The lesson learned from this study is that when you add new functionality to existing designs, you need to revisit previous assumptions to see if they still hold,” Lin concludes.
Zhang presented these findings at the ACM Computer and Communications Security Conference (ACM CCS 2022).