Skip to main content

Bluetooth Security Issue Could Affect Most Devices

By August 7, 2019May 16th, 2022Cybersecurity

Recently, researchers from Boston University published a paper called “Tracking Anonymized Bluetooth Devices”. The paper detailed a flaw in the ubiquitous Bluetooth communication protocol that could expose device users to tracking and even leak their IDs. As explained in the paper, many Bluetooth devices announce their presence by using their MAC addresses as the basis to generate a random number in order to prevent long-term tracking.

The team discovered a flaw in the system, and identified tokens that exist alongside MAC addresses. The researchers created what they’re calling an address-carryover algorithm that is able to “exploit the asynchronous nature of payload and address changes to achieve tracking beyond the address randomization of a device. The algorithm does not require message decryption or breaking Bluetooth security in any way, as it is based entirely on public, unencrypted advertising traffic.”

At the center of this flaw is Bluetooth BLE, which stands for Low Energy Specification).  Introduced in 2010, it really came to the fore with the release of Bluetooth 5.  The research team discovered it when they began investigating BLE advertising channels and “advertising events” within standard Bluetooth proximities.

“Most computer and smartphone operating systems do implement address randomizations by default as a means to prevent long-term passive tracking, as permanent identifiers are not broadcasted.  However, we identified that devices running Windows 10, iOS or mac OS regularly transmit advertising events containing custom data structures which are used to enable certain platform-specific interaction with other devices within BLE range.”

Although this technique works on any Windows, iOS, and macOS system, Android devices are completely immune. That is because the Android OS doesn’t continually send out advertising messages, and instead takes the approach of scanning for advertising messages being transmitted nearby.

If all of that makes your head spin, consider this:  The number of Bluetooth devices is projected to grow from 4.2 to 5.2 billion between 2019 and 2022. So this is a significant issue, deserving of attention.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.