Researchers warn Bluetooth signals can be used to track device owners via a unique fingerprinting of the radio signal. The technique was presented via a paper presented at IEEE Security and Privacy conference last month by researchers at the University of California San Diego.
The paper suggests that minor manufacturing imperfections in hardware are unique with each device, and cause measurable distortions which can be used as a “fingerprint to track a specific device”.
“To perform a physical-layer fingerprinting attack, the attacker must be equipped with a Software Defined Radio sniffer: a radio receiver capable of recording raw IQ radio signals,” said researchers in a paper (PDF) titled “Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices.”
Gadgets such as smartwatches, fitness trackers, and smartphones transmit a signal called Bluetooth beacons with an average rate of 500 beacons per minute. These constantly transmitting signals enable the functionality for lost device tracking and COVID-19 tracing apps.
The critical insight from the researchers is that Bluetooth can also be used for tracking “in a highly accurate way”, as the previously known wireless fingerprints use to track Wi-Fi and other wireless technologies.
“This is important because in today’s world Bluetooth poses a more significant threat as it is a frequent and constant wireless signal emitted from all our personal mobile devices,” wrote co-author Nishant Bhaskar, a Ph.D. student at UC San Diego.
How Tracking of Bluetooth Signals Works
For Wi-Fi, the fingerprint techniques are based on the long string called “preamble”, Bluetooth beacon signals cannot be tracked in the same way because the preamble used is shorter in comparison to Wi-Fi signals.
“The short duration gives an inaccurate fingerprint, making prior techniques not useful for Bluetooth tracking,” wrote co-author Hadi Givehchian, a Ph.D. student at UC San Diego.
A new method was designed by the researcher that “doesn’t rely on the preamble” but focuses on the complete Bluetooth signal. The algorithm estimates two values. The two values are CFO (carrier frequency offset) and I/Q in the BLE signal. Researchers said that each varies according to the slight difference in the devices. Next, the imperfections for each packet are calculated by the Mahalanobis distance, and the results determined “how close the features of the new packet” is in comparison to previously recorded fingerprint.
“Researchers tested their method to track Bluetooth fingerprints on campus. They use an off-the-shelf device to track and identify devices.” – UC San Diego
Mahalanobis is a technical term described by Wikipedia as: “The Mahalanobis distance is a measure of the distance between a point P and a distribution D, introduced by P. C.”
Researchers continue, explaining; “The MAC address of every BLE device is stable for a limited duration of time, we can receive multiple packets that we know belong to the same BLE device,” the researcher said. The average of multiple packets can be used to increase identification accuracy.
The scientist evaluates the results through several real-world experiments. Initially, they found 40 percent discrete signals out of 162 devices in public. Another scaled-up experiment includes 647 devices “in a public hallway across two days” and found 47 percent unique fingerprints.
Factors such as changes in ambient temperature can alter the Bluetooth beacon, as well as the power ratio for different devices affects the distance up to which these devices can be tracked.
The researchers claim that despite these barriers, a large number of devices can be tracked and do not require sophisticated equipment, “the attack can be performed with equipment that costs less than $200.” the researcher noted.
Solutions
At the core level, Bluetooth hardware devices have to be redesigned, but the researcher working on an easier solution. The team planned to hide the Bluetooth fingerprints “via digital signal processing in the Bluetooth device firmware”
Additionally, the team is exploring the possibility that whether the inducing method can be implemented in other devices. “Every form of communication today is wireless, and at risk, we are working to build hardware-level defenses to potential attacks,” wrote co-author Dinesh Bharadia, a professor at the UC San Diego.
“Overall, we found that BLE does present a location tracking threat for mobile devices. However, an attackers ability to track a particular target is essentially a matter of luck,” the researcher concluded.
