Newly discovered Bluetooth exploit tracks iOS, macOS devices
Researchers have identified a flaw in the Bluetooth communication protocol that may expose iOS, macOS, and Microsoft users to device tracking.
The vulnerability could be used to spy on users, regardless of OS protections that are in place. Currently, it is thought that this flaw affects devices with Windows 10, macOS, and iOS. Devices affected could be iPhones, iPads, MacBooks and iMacs, Apple Watches, and any Microsoft laptop or tablet. This news has come months after the news of the "Torpedo" location detection exploit.
According to ZDnet, David Starobinski and Johannes Becker, two researchers from Boston University, presented the results of their research at the 19th Privacy Enhancing Technologies Symposium in Stockholm, Sweden.
Their research shows that many Bluetooth devices will use MAC addresses when advertising their presence to prevent long-term tracking, but it's possible to circumvent the randomization of these addresses, allowing a specific device to be permanently monitored.
Identifying tokens are issued alongside MAC addresses and an algorithm developed by Boston University -- called an address-carryover algorithm -- is able to exploit the address. According to the research paper, "The algorithm does not require message decryption or breaking Bluetooth security in any way, as it is based entirely on public, unencrypted advertising traffic."
During their experiments, researchers tested Apple and Microsoft devices, analyzing BLE advertising channels and events within standard Bluetooth proximities. Over a period of time, advertising log files were passively collected, and from the data researchers were able to find device ID tokens.
"We identified that devices running Windows 10, iOS or macOS regularly transmit advertising events containing custom data structures which are used to enable certain platform-specific interaction with other devices within BLE range," the paper reads.
The identities can then be incorporated into an algorithm to track devices.
While iOS, macOS, and Windows 10 systems are affected, Android operating systems appear immune due to differences in handling identifying tokens.
Exploits have caused trouble for Apple in the past, including the now fixed FaceTime exploit that allowed callers to hear someones audio before they answered the call. Continued pressure from lawmakers will likely have Apple and Microsoft searching for a fix.
The vulnerability could be used to spy on users, regardless of OS protections that are in place. Currently, it is thought that this flaw affects devices with Windows 10, macOS, and iOS. Devices affected could be iPhones, iPads, MacBooks and iMacs, Apple Watches, and any Microsoft laptop or tablet. This news has come months after the news of the "Torpedo" location detection exploit.
According to ZDnet, David Starobinski and Johannes Becker, two researchers from Boston University, presented the results of their research at the 19th Privacy Enhancing Technologies Symposium in Stockholm, Sweden.
Their research shows that many Bluetooth devices will use MAC addresses when advertising their presence to prevent long-term tracking, but it's possible to circumvent the randomization of these addresses, allowing a specific device to be permanently monitored.
Identifying tokens are issued alongside MAC addresses and an algorithm developed by Boston University -- called an address-carryover algorithm -- is able to exploit the address. According to the research paper, "The algorithm does not require message decryption or breaking Bluetooth security in any way, as it is based entirely on public, unencrypted advertising traffic."
During their experiments, researchers tested Apple and Microsoft devices, analyzing BLE advertising channels and events within standard Bluetooth proximities. Over a period of time, advertising log files were passively collected, and from the data researchers were able to find device ID tokens.
"We identified that devices running Windows 10, iOS or macOS regularly transmit advertising events containing custom data structures which are used to enable certain platform-specific interaction with other devices within BLE range," the paper reads.
The identities can then be incorporated into an algorithm to track devices.
While iOS, macOS, and Windows 10 systems are affected, Android operating systems appear immune due to differences in handling identifying tokens.
Exploits have caused trouble for Apple in the past, including the now fixed FaceTime exploit that allowed callers to hear someones audio before they answered the call. Continued pressure from lawmakers will likely have Apple and Microsoft searching for a fix.
Comments
Well that's a thread killer. I doubt very many here will acknowledge even reading this article by commenting on it if Android is safe from the exploit but some Apple OS'es aren't.
"We identified that devices running Windows 10, iOS or macOS regularly transmit advertising events containing custom data structures which are used to enable certain platform-specific interaction with other devices within BLE range," the paper reads.
Those custom data structures will be modified or removed in the next system update then the “research” will become irrelevant.
What is the range of Bluetooth LE? 9 meters or so? The victim’s location must be bugged to collect that continuous traffic logs. And the collecting van must park to the victim’s location as closely as possible during that loooong collection task...
Last I knew Apple's default setting is to leave Bluetooth on, I suppose to allow interaction with beacons. At least at one point Apple devices, under certain conditions, would turn it back on even after the user had disabled it. Might be worth checking before using your device in a public setting.
@macplusplus , congrats on willingness to comment. Respect...
The fact that Android devices are ‘immune,’ as the article states tells me this is something specific to the Bluetooth routines that Apple and Microsoft use. It also means it should be a relatively easy patch, since there is theoretically already a solution in use. Macplusplus is probably right that a patch will be forthcoming in one of the OS upgrades.
In the scheme of things, I’m not terribly worried about this. It allows tracking, but for cellular devices, that data is already there, whether you have BT turned on or not. That’s a much bigger issue, IMO.
EDIT:
Well that took all of about a minute to research @pscooter63 ;
"Android is immune as the OS does not continually send out advertising messages, the researchers said." Apple and Microsoft devices do. As such the fix should be easy enough IMO: Do as Android, stop continuous broadcast.
Oh really? Pretense of what?
it's nicce to see Android not being the weakest security link. I wonder what is different about their algorithm. It seems like this is simply a case of Apple and MS not using system resources to fully randomize the address token, but why?
Of more interest is why you "think" this bothers others, and why you're enjoying this bit of news so much? NVM, I already know. With Android being a cesspool of poor security and privacy and getting hammered in the news regularly about it (there were just another bunch of Apps in Google Play that had to get the boot yet AGAIN) you have to enjoy these tiny victories when they come, being that they are so few and far between. So feel free to blow this out of proportion to increase your satisfaction level.
Remember Meltdown/Spectre? The vast majority of Android devices with Samsung, Qualcomm or other processors based on ARM cores were essentially immune, while Apple A Series processors were susceptible. The first knee-jerk reaction was that Apple processors were inferior. I can see the rush to claim this, as Apple is years ahead in processor design, and Android users would love to be able to claim there was something wrong with them. It's actually backwards - ARM processor cores were so simple that they couldn't be attacked since these were hacks revolved around things like speculative execution. Apple A Series processors are far ahead of ARM in this regard and are more like Intel desktop processors. Therefore they were susceptible to the attacks. Only ARM processors with the newest A75 cores were susceptible. What this really proved is that it took ARM all the way until the A75 to catch up to Apple from years before.
I don't know enough about this Bluetooth issue to say if it's a similar situation (more advanced use of technology/features), but the rest is similar (Apple has a bug Android doesn't therefore Android must be better).
So, right now, noteworthy but not alarming. As already pointed out, your mobile service provider has more information than that about you.
Still, the fact that Android is not susceptible to this particular technique is interesting. It's unclear if Android simply does not provide "platform-specific interaction" with other Bluetooth devices, or whether it uses generic data structures to do so. Using custom data structures, as Apple and MS have chosen to do, has benefits (at a guess, greater information density that would reduce transmission times and energy requirements) but the researchers have shown an unintended side effect.
The gist of the vulnerability exists because you probably don't want devices to broadcast a unique identifier that's permanently linked to a specific hardware device instance, like its MAC id, as was done in earlier versions of Bluetooth (things that made sense back in the days when just getting stuff to work together was a victory and almost nobody worried about security or privacy). To avoid the MAC id issue newer version of Bluetooth make use of a randomized token that has a implementation specific lifetime. In the case of iOS, macOS, Windows, and other Bluetooth implementation these tokens are being kept around too long or not recycled.
Yes, there is a block of data in the unencrypted part of the advertising/broadcast protocol that device vendors can embed whatever bits of data they'd like. There's nothing preventing device vendors from encrypting or obfuscating whatever they put their data block because it doesn't have to be interpreted by the protocol. It's just a blob of bits. If device vendors put easily readable and sensitive information in their data block, they've created a problem for their users but they can easily fix their problem without disturbing the underlying BTLE protocol in any way (as other posters have noted).
If you expect people here to care about your knockoff as much as we do Apple platforms, you don’t understand people very well. That would be like me going to a rival sporting team website and asking why they don’t care about my team. Durr.