Newly discovered Bluetooth exploit tracks iOS, macOS devices

Posted:
in General Discussion edited July 2019
Researchers have identified a flaw in the Bluetooth communication protocol that may expose iOS, macOS, and Microsoft users to device tracking.

iOS users are at risk of being tracked


The vulnerability could be used to spy on users, regardless of OS protections that are in place. Currently, it is thought that this flaw affects devices with Windows 10, macOS, and iOS. Devices affected could be iPhones, iPads, MacBooks and iMacs, Apple Watches, and any Microsoft laptop or tablet. This news has come months after the news of the "Torpedo" location detection exploit.

According to ZDnet, David Starobinski and Johannes Becker, two researchers from Boston University, presented the results of their research at the 19th Privacy Enhancing Technologies Symposium in Stockholm, Sweden.

Their research shows that many Bluetooth devices will use MAC addresses when advertising their presence to prevent long-term tracking, but it's possible to circumvent the randomization of these addresses, allowing a specific device to be permanently monitored.

Identifying tokens are issued alongside MAC addresses and an algorithm developed by Boston University -- called an address-carryover algorithm -- is able to exploit the address. According to the research paper, "The algorithm does not require message decryption or breaking Bluetooth security in any way, as it is based entirely on public, unencrypted advertising traffic."

During their experiments, researchers tested Apple and Microsoft devices, analyzing BLE advertising channels and events within standard Bluetooth proximities. Over a period of time, advertising log files were passively collected, and from the data researchers were able to find device ID tokens.

"We identified that devices running Windows 10, iOS or macOS regularly transmit advertising events containing custom data structures which are used to enable certain platform-specific interaction with other devices within BLE range," the paper reads.

The identities can then be incorporated into an algorithm to track devices.

While iOS, macOS, and Windows 10 systems are affected, Android operating systems appear immune due to differences in handling identifying tokens.

Exploits have caused trouble for Apple in the past, including the now fixed FaceTime exploit that allowed callers to hear someones audio before they answered the call. Continued pressure from lawmakers will likely have Apple and Microsoft searching for a fix.
«1

Comments

  • Reply 1 of 26
    gatorguygatorguy Posts: 24,176member
    "While iOS, macOS, and Windows 10 systems are affected, Android operating systems appear immune due to differences in handling BLE advertising."

    Well that's a thread killer. I doubt very many here will acknowledge even reading this article by commenting on it if Android is safe from the exploit but some Apple OS'es aren't. 
    bigtdstyler82FileMakerFeller
  • Reply 2 of 26
    macplusplusmacplusplus Posts: 2,112member
    What a big discovery !

    "We identified that devices running Windows 10, iOS or macOS regularly transmit advertising events containing custom data structures which are used to enable certain platform-specific interaction with other devices within BLE range," the paper reads.

    Those custom data structures will be modified or removed in the next system update then the “research” will become irrelevant.

    What is the range of Bluetooth LE? 9 meters or so? The victim’s location must be bugged to collect that continuous traffic logs. And the collecting van must park to the victim’s location as closely as possible during that loooong collection task...
    edited July 2019 watto_cobra
  • Reply 3 of 26
    What a big discovery !

    "We identified that devices running Windows 10, iOS or macOS regularly transmit advertising events containing custom data structures which are used to enable certain platform-specific interaction with other devices within BLE range," the paper reads.

    Those custom dats structures will be modified or removed in the next system update then the “research” will become irrelevant.

    What is the range of Bluetooth LE? 9 meters or so? The victim’s location must be bugged to collect that continuous traffic logs. And the collecting van must park to the victim’s location as closely as possible during that loooong collection task...
    Hmmm, perhaps one of those new-fangled smart bulbs could have it's firmware hacked/modified to collect a log of nearby bluetooth traffic... it would be hiding in plain sight. Substitue any other smart device of your choice - lock, switch, thermostat, fan,...
    SoliFileMakerFellerchiarazorpit
  • Reply 4 of 26
    gatorguygatorguy Posts: 24,176member
    What a big discovery !

    "We identified that devices running Windows 10, iOS or macOS regularly transmit advertising events containing custom data structures which are used to enable certain platform-specific interaction with other devices within BLE range," the paper reads.

    Those custom dats structures will be modified or removed in the next system update then the “research” will become irrelevant.

    What is the range of Bluetooth LE? 9 meters or so? The victim’s location must be bugged to collect that continuous traffic logs. And the collecting van must park to the victim’s location as closely as possible during that loooong collection task...
    Another thing to be aware when sitting at the coffee shop working with your iPhone, iPad, or laptop?  

    Last I knew Apple's default setting is to leave Bluetooth on, I suppose to allow interaction with beacons. At least at one point Apple devices, under certain conditions, would turn it back on even after the user had disabled it. Might be worth checking before using your device in a public setting. 

    @macplusplus , congrats on willingness to comment. Respect...
    edited July 2019
  • Reply 5 of 26
    normangnormang Posts: 118member
    Bluetooth is on by default probably because millions of users connect headphones and Apple Watches to their devices, as well as other electronics to long to be listed.. Somehow this does not seem like a big issue and will now be fixed in some fashion in IOS13 and perhaps even in 12.4.
    watto_cobra
  • Reply 6 of 26
    pscooter63pscooter63 Posts: 1,080member
    OK, @Gatorguy, why do you think Android lacks this exploit to begin with?  Perhaps because they're generally lagging behind in advanced BLE implementation anyway?
    racerhomie3macpluspluschiarazorpitStrangeDayswatto_cobrajony0
  • Reply 7 of 26
    MplsPMplsP Posts: 3,911member
    Disabling Bluetooth is one of the strategies to save battery life, but seeing as how Bluetooth is all but essential it’s going to be turned on for the overwhelming majority of devices. I’d be wiling to bet Android devices have it on as well.

    The fact that Android devices are ‘immune,’ as the article states tells me this is something specific to the Bluetooth routines that Apple and Microsoft use. It also means it should be a relatively easy patch, since there is theoretically already a solution in use. Macplusplus is probably right that a patch will be forthcoming in one of the OS upgrades.

    In the scheme of things, I’m not terribly worried about this. It allows tracking, but for cellular devices, that data is already there, whether you have BT turned on or not. That’s a much bigger issue, IMO.
    watto_cobra
  • Reply 8 of 26
    gatorguygatorguy Posts: 24,176member
    OK, @Gatorguy, why do you think Android lacks this exploit to begin with?  Perhaps because they're generally lagging behind in advanced BLE implementation anyway?
    No idea why but that's a possibility among others. The facts now are Android is immune. You should find out why if that bothers you enough.

    EDIT:
    Well that took all of about a minute to research @pscooter63 ;
    "Android is immune as the OS does not continually send out advertising messages, the researchers said." Apple and Microsoft devices do. As such the fix should be easy enough IMO: Do as Android, stop continuous broadcast. 
    edited July 2019 revenant
  • Reply 9 of 26
    gatorguy said:
    OK, @Gatorguy, why do you think Android lacks this exploit to begin with?  Perhaps because they're generally lagging behind in advanced BLE implementation anyway?
    No idea why but that's a possibility among others. The facts now are Android is immune. You should find out why if that bothers you enough.

    EDIT:
    Well that took all of about a minute to research @pscooter63 ;
    "Android is immune as the OS does not continually send out advertising messages, the researchers said." Apple and Microsoft devices do. As such the fix should be easy enough IMO: Do as Android, stop continuous broadcast. 
    No, that won't work. It would put the kibosh on the new tile-like tracking feature. The solution is however pretty simple (at least conceptually): Make sure token and MAC changes are synchronized.

    For most people, this is a non-issue. Trackers would need to maintain close proximity, which is impossible over time unless you're an extremely high-value target. There are situational exceptions to this, though - you could be tracked throughout a large mall or a baseball stadium, maybe, if their BT deployment density was high enough. And it may be, if they're doing it to support various legit services anyway (think beacons). This is still not a big deal, I think, though it's worth fixing.
    pscooter63FileMakerFellerchiawatto_cobra
  • Reply 10 of 26
    dysamoriadysamoria Posts: 3,430member
    The, uh, Apple Insider proofreader (ha ha ha) missed this: “...when advertising their pretense...”

    Oh really? Pretense of what?
  • Reply 11 of 26
    looplessloopless Posts: 325member
    So this is basically a non-issue. Or at least incredibly minor issue. After collecting vast amounts of bluetooth data someone **might** be able to track a particular device when it comes within range again. I applaud the researchers but to call this a security issue is a bit of a stretch.
    ericthehalfbeeFileMakerFellerwatto_cobra
  • Reply 12 of 26
    loopless said:
    So this is basically a non-issue. Or at least incredibly minor issue. After collecting vast amounts of bluetooth data someone **might** be able to track a particular device when it comes within range again. I applaud the researchers but to call this a security issue is a bit of a stretch.
    It's not much of an issue but your summary is wrong. You don't "need huge amounts of bluetooth data".
  • Reply 13 of 26
    mobirdmobird Posts: 752member
    normang said:
    Bluetooth is on by default probably because millions of users connect headphones and Apple Watches to their devices, as well as other electronics to long to be listed.. Somehow this does not seem like a big issue and will now be fixed in some fashion in IOS13 and perhaps even in 12.4.
    And all of the vehicles with infotainment systems nowadays.
    StrangeDays
  • Reply 14 of 26
    SoliSoli Posts: 10,035member
    At first I thought this allowed access to the device which could've been a massive issue. Thankfully it just means your device can be tracked locally. Since most people already allow much worse tracking via their internet use I'm not really concerned by this type of tracking, but it does give me some ideas for a story.

    it's nicce to see Android not being the weakest security link. I wonder what is different about their algorithm. It seems like this is simply a case of Apple and MS not using system resources to fully randomize the address token, but why?

    For Windows 10, users can periodically disable a Bluetooth device through the Windows Device Manager and re-enable it again, which will reset both the advertising address and the token, thereby breaking the chain, researchers said.

    For Apple devices, switching Bluetooth off and on in the System Settings (or in the Menu Bar on macOS) will randomize the address and change the payload, the team said.

    https://threatpost.com/bluetooth-flaws-global-tracking-apple-windows/146517/
    FileMakerFellerwatto_cobra
  • Reply 15 of 26
    dewmedewme Posts: 5,332member
    What a big discovery !

    "We identified that devices running Windows 10, iOS or macOS regularly transmit advertising events containing custom data structures which are used to enable certain platform-specific interaction with other devices within BLE range," the paper reads.

    Those custom data structures will be modified or removed in the next system update then the “research” will become irrelevant.

    What is the range of Bluetooth LE? 9 meters or so? The victim’s location must be bugged to collect that continuous traffic logs. And the collecting van must park to the victim’s location as closely as possible during that loooong collection task...
    Good post. Given the limited range of BLE, the need for specialized sniffer hardware and software, and data collection time (which wasn’t presented in the original paper from what can see) this “sensational issue” seems more like a hypothetical concern than a real threat for 99.999% of Apple and Microsoft users. If tracking is a concern the snooper would have to either closely follow his or her “target” around at close proximity or install the surveillance tools in multiple locations, e.g., a massive nefarious bot net deployment. If no personally identifiable information is exposed through this “exploit” I’d put this in the same category as WiFi SSID broadcast based tracking, which may be a concern if you routinely move your house around and don’t want anyone to record your movement. 


    edited July 2019 watto_cobra
  • Reply 16 of 26
    gatorguy said:
    OK, @Gatorguy, why do you think Android lacks this exploit to begin with?  Perhaps because they're generally lagging behind in advanced BLE implementation anyway?
    No idea why but that's a possibility among others. The facts now are Android is immune. You should find out why if that bothers you enough.


    Of more interest is why you "think" this bothers others, and why you're enjoying this bit of news so much? NVM, I already know. With Android being a cesspool of poor security and privacy and getting hammered in the news regularly about it (there were just another bunch of Apps in Google Play that had to get the boot yet AGAIN) you have to enjoy these tiny victories when they come, being that they are so few and far between. So feel free to blow this out of proportion to increase your satisfaction level.

    OK, @Gatorguy, why do you think Android lacks this exploit to begin with?  Perhaps because they're generally lagging behind in advanced BLE implementation anyway?

    Remember Meltdown/Spectre? The vast majority of Android devices with Samsung, Qualcomm or other processors based on ARM cores were essentially immune, while Apple A Series processors were susceptible. The first knee-jerk reaction was that Apple processors were inferior. I can see the rush to claim this, as Apple is years ahead in processor design, and Android users would love to be able to claim there was something wrong with them. It's actually backwards - ARM processor cores were so simple that they couldn't be attacked since these were hacks revolved around things like speculative execution. Apple A Series processors are far ahead of ARM in this regard and are more like Intel desktop processors. Therefore they were susceptible to the attacks. Only ARM processors with the newest A75 cores were susceptible. What this really proved is that it took ARM all the way until the A75 to catch up to Apple from years before.

    I don't know enough about this Bluetooth issue to say if it's a similar situation (more advanced use of technology/features), but the rest is similar (Apple has a bug Android doesn't therefore Android must be better).

    pscooter63razorpitStrangeDayswatto_cobra
  • Reply 17 of 26
    At the moment this does seem to be a limited threat. From my understanding, you need to have access to the log files generated by a network of Bluetooth beacons and then spend some time performing an analysis. The more networks you can scrape log files from, the more valuable the result.

    So, right now, noteworthy but not alarming. As already pointed out, your mobile service provider has more information than that about you.

    Still, the fact that Android is not susceptible to this particular technique is interesting. It's unclear if Android simply does not provide "platform-specific interaction" with other Bluetooth devices, or whether it uses generic data structures to do so. Using custom data structures, as Apple and MS have chosen to do, has benefits (at a guess, greater information density that would reduce transmission times and energy requirements) but the researchers have shown an unintended side effect.
    watto_cobra
  • Reply 18 of 26
    gatorguygatorguy Posts: 24,176member
    Rayer said:
    dysamoria said:
    The, uh, Apple Insider proofreader (ha ha ha) missed this: “...when advertising their pretense...”

    Oh really? Pretense of what?
    Yeah, they don't have editors here. I'm surprised your comment wasn't deleted. Every time I have commented about a grammar problem, they delete my comment and then fix the post.
    Perhaps because it's covered under the forum rules? Click on the "Commenting Guidelines" link at the bottom of this page. 
  • Reply 19 of 26
    dewmedewme Posts: 5,332member
    At the moment this does seem to be a limited threat. From my understanding, you need to have access to the log files generated by a network of Bluetooth beacons and then spend some time performing an analysis. The more networks you can scrape log files from, the more valuable the result.

    So, right now, noteworthy but not alarming. As already pointed out, your mobile service provider has more information than that about you.

    Still, the fact that Android is not susceptible to this particular technique is interesting. It's unclear if Android simply does not provide "platform-specific interaction" with other Bluetooth devices, or whether it uses generic data structures to do so. Using custom data structures, as Apple and MS have chosen to do, has benefits (at a guess, greater information density that would reduce transmission times and energy requirements) but the researchers have shown an unintended side effect.
    This really has nothing at all to do with performance concerns at all, i.e., transmission times and energy usage. The entire scope of this "issue" is limited to the advertising portion of the protocol that is used to initiate Bluetooth connections between devices. This small slice of the BTLE protocol has to be unencrypted and follow a standard format to allow devices from any vendor to discover one another and establish a connection. Once the connection is established all further communication of personally identifiable data transmitted via the connection can be encrypted.

    The gist of the vulnerability exists because you probably don't want devices to broadcast a unique identifier that's permanently linked to a specific hardware device instance, like its MAC id, as was done in earlier versions of Bluetooth (things that made sense back in the days when just getting stuff to work together was a victory and almost nobody worried about security or privacy). To avoid the MAC id issue newer version of Bluetooth make use of a randomized token that has a implementation specific lifetime. In the case of iOS, macOS, Windows, and other Bluetooth implementation these tokens are being kept around too long or not recycled.

    Yes, there is a block of data in the unencrypted part of the advertising/broadcast protocol that device vendors can embed whatever bits of data they'd like. There's nothing preventing device vendors from encrypting or obfuscating whatever they put their data block because it doesn't have to be interpreted by the protocol. It's just a blob of bits. If device vendors put easily readable and sensitive information in their data block, they've created a problem for their users but they can easily fix their problem without disturbing the underlying BTLE protocol in any way (as other posters have noted).
  • Reply 20 of 26
    StrangeDaysStrangeDays Posts: 12,834member
    gatorguy said:
    "While iOS, macOS, and Windows 10 systems are affected, Android operating systems appear immune due to differences in handling BLE advertising."

    Well that's a thread killer. I doubt very many here will acknowledge even reading this article by commenting on it if Android is safe from the exploit but some Apple OS'es aren't. 
    Good thing we have our google guy to carry the torch, reminding everyone why his knockoff brand is beloved, here on an apple site. rolleyes 

    If you expect people here to care about your knockoff as much as we do Apple platforms, you don’t understand people very well. That would be like me going to a rival sporting team website and asking why they don’t care about my team. Durr.
    edited July 2019 watto_cobra
Sign In or Register to comment.