Researchers from the University of California San Diego in a new paper have demonstrated how Bluetooth signals can be used to identify and track smartphones.
The research team found that Bluetooth Low Energy (BLE) signals, which are constantly emitted by mobile devices generate a unique fingerprint. This is then exploited by attackers to track individuals’ movements.
Devices such as smartphones, smartwatches, and fitness trackers, constantly transmit signals, known as Bluetooth beacons, at the rate of roughly 500 beacons per minute. These beacons enable features like Apple’s “Find My” lost device tracking service; COVID-19 tracing apps; AirTag, and connect smartphones to other devices such as wireless earphones.
Prior research has shown that wireless fingerprinting is present in wireless technologies such as Wi-Fi. However, the UC San Diego team has highlighted that this type of tracking can also be done with Bluetooth, in a highly accurate way.
“This is important because in today’s world Bluetooth poses a more significant threat as it is a frequent and constant wireless signal emitted from all our personal mobile devices,” said Nishant Bhaskar, a Ph.D. student in the UC San Diego Department of Computer Science and Engineering and one of the paper’s lead authors.
It should be noted that all the above-mentioned wireless devices have small manufacturing imperfections in the Bluetooth hardware, which are unique for each device. As a result, there are chances of fingerprinting in these devices.
For Bluetooth, this would allow an attacker to circumvent anti-tracking techniques such as constantly changing the address a mobile device uses to connect to Internet networks. This isn’t exactly an easy process.
Prior fingerprinting techniques built for Wi-Fi have relied on a long-known sequence called the preamble. However, the preambles for Bluetooth beacon signals are extremely short.
“The short duration gives an inaccurate fingerprint, making prior techniques not useful for Bluetooth tracking,” said Hadi Givehchian, also a UC San Diego computer science Ph.D. student and a lead author on the paper.
The new method designed by the UC San Diego team does not rely on the preamble but looks at the whole Bluetooth signal using a computer algorithm, which estimates two different values found in Bluetooth signals. Depending on the flaws in the Bluetooth hardware, the values vary revealing to the researchers each device’s unique fingerprint.
Real-World Experiments And Challenges
The researchers conducted initial experiments to test their tracking method in real-world experiments. In the first experiment, they found that 40% of the total number of mobile devices (162) in public places like coffee shops were uniquely identifiable.
The team also conducted a large-scale experiment where they observed 647 mobile devices in a public hallway across two days and found unique fingerprints on 47% of them. In another test, they demonstrated an actual tracking attack by fingerprinting and following a mobile device owned by a study volunteer as they walked in and out of their house.
The researchers also discovered several challenges that an attacker will face in practice. For example, changes in ambient temperature can alter the Bluetooth fingerprint. Also, certain devices send Bluetooth signals with different degrees of power, which affects the distance at which these devices can be tracked.
Despite several challenges, the researchers point out that this method would also need “a high degree of expertise” to track a Bluetooth signal. This means it is unlikely to be a widespread threat to the general public today. They also emphasized that while you can track individual devices, the information of the owner of the device cannot be tracked.
“In modern society, Bluetooth, the wireless signal frequently emitted by all personal mobile devices, poses a greater threat,” said Bhaskar.
Researchers noticed that just disabling Bluetooth may not necessarily stop all mobile phones from emitting Bluetooth beacons. For example, turning off Bluetooth from the Control Center on the home screen of some Apple devices does not stop the beacon from emitting.
“As far as we know, the only way to ensure that the Bluetooth beacon is turned off is to turn off the cell phone,” Bhaskar concludes.
The paper on Bluetooth signal tracking titled “Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices” was recently presented at the IEEE Security & Privacy conference in San Francisco, California, on May 24th, 2022.