Brother
Professional
- Messages
- 2,590
- Reaction score
- 544
- Points
- 113
Compared to positioning using cellular networks or GPS, the use of Bluetooth is accurate to a few centimeters and is ideal for indoor use. The standard positioning system consists of Bluetooth beacons distributed throughout the room, which at some intervals send out so-called advertising packages. The smartphone, by analyzing the contents of the received packets and the signal strength from several beacons, calculates the user's location.
The scheme described above does not pose a direct threat of disclosing the exact location of the user, since all beacons work in transmitter mode, and the smartphone does not exchange data with them. And in the absence of an Internet connection, the smartphone will not even be able to send data to the Apple / Google servers to inform about the receipt of advertising packages.
Let's try to invert this scheme - now the user will have a special beacon with him that sends out packets that will be picked up by receivers in the room. By analyzing data from several receivers, you can calculate the user's location in the room, or at least determine his presence. The use of such systems, for example, is proposed for monitoring the elderly and persons with disabilities.
Staff are notified if a person with dementia leaves the facility.
But ordinary people don't walk around with Bluetooth beacons attached, so there is no threat of unauthorized tracking? Not really. The work mentioned above already indicates that ordinary sports bracelets (MiBand, Fitbit, etc.) are suitable as a beacon.
These devices work according to the Bluetooth Low Energy (BLE) standard. Often, smart devices have a limited set of control options, so they are constantly on, sending out advertising packages that allow other devices to detect them and initiate a connection. Advertisements contain the sender's MAC address field to enable the device to send a connection request. To exclude tracking of the user of a wearable device by capturing packets with a specific address, the BLE standard allows you to specify in advertising packages not a public static MAC address of the device, but a periodically updated randomly generated one.
In their work, we have researched and developed an algorithm that allows continuous monitoring of devices sending out BLE advertising packets, even if they use address randomization. In this case, no interaction with the monitored device is required, just passive listening to Bluetooth channels and capturing the advertising packets sent by it.
a) The structure of the advertising package and its title.
b) Payload field structure (PDU Payload).
c) An example of the contents of the AD Structure field with device manufacturer information.
The header identifies the type of packet, and since researchers are only looking at packets of the same type, all headers have similar content and do not differentiate between devices. The researchers analyzed the part of the packet containing the payload (PDU Payload), the first six bytes of which contain the advertised address of the AdvA device. If the TxAdd flag in the packet header is one, the AdvA address is randomly generated, otherwise the device broadcasts its public static address.
The rest of the fields can contain data added by device manufacturers to implement their own protocols for connection initialization and data exchange over Bluetooth protocol procedures. It is the content of these fields that is the subject of the authors' research.
The preparatory part of the algorithm's work consists of collecting an array of packets captured over a long period of time and sent by a certain category of devices. A device category is a somewhat abstract concept, we can say that it is determined by the manufacturer of the device, the installed OS, applications, etc. Analysis of the data array allows you to identify the so-called tokens - sequences of bytes that persist for some time inside an advertising package, which allow you to unambiguously identify the sender of this package. One of the tokens is the advertised MAC address of the device, although it can be randomized at regular intervals. Therefore, the task is to find tokens, the change of which does not occur synchronously, and the "lifetime" of which overlaps.
After finding the tokens inside the advertising packages of a certain category of devices, you can proceed to tracking a specific device. Now packets are captured by SDR in real time and decoded are fed to the input of the algorithm, initialized with the source address of the monitored device.
The algorithm extracts the required tokens and the advertised MAC address from the package contents, if the advertised address has not changed, but tokens have been updated or added, then you need to save them for further comparison with new packages. If at least one token has been preserved, but the rest and / or the device address have changed, then the corresponding data must be updated for subsequent comparison. Device tracking can stop if all tokens, including the device's MAC address, are updated at the same time.
An example of how the algorithm works for an iOS device. The first three address calculations were done using the handoff token saved, the last one using the nearby token. Different colors represent different field values.
The researchers' results can be summarized in the following table.
Device category
Average lifetime of a random address
Maximum tracking time
Address tracking method
Windows 10
16 minutes
Not limited
The proposed algorithm
macOS, iOS
20 minutes
53 minutes, possibly unlimited
The proposed algorithm
Android
15-45 minutes
No vulnerabilities
Fitbit Charge
The address does not change
Not limited
-
Microsoft Surface
16 minutes
Not limited
Address leak from Microsoft Surface Pen
Interestingly, this study was conducted before the outbreak of the COVID-19 pandemic, when Apple partnered with Google to create a framework for tracking contacts with sick people. The way tracking works relies on the distribution of BLE advertising messages with additional data about the user's status. Security researchers have found that the metadata in the packages is updated out of sync with the device address, which allows them to be used as a token for the above algorithm. The news indicates that only half of the tested smartphones are affected by the vulnerability.
The researchers cite the following hypothetical tracking scenario. An attacker, being near the target device, processes outgoing BLE packets from it in order to collect enough data to create an RFID fingerprint. After creating the fingerprint, the attacker places a listening SDR near the victim's house to determine if the victim is indoors or not. The results of the experimental reproduction of the described scenario are shown in Fig. 4, during an hour, only one false alarm occurred, lasting 50 seconds, provided that the total number of detected devices during the experiment was about 30 pieces.
The result of determining the location of the target device inside the house.
a) The total number of detected devices.
b) The red bar is the target device detection result, the
blue bar is the actual location of the device inside the house.
RFID fingerprint tracking cannot be corrected with software patches, since the fingerprint only includes the physical features of the device's radio. For protection, the researchers propose adding random fluctuations in the frequency of the oscillator of the radio module, which will complicate the creation of a fingerprint and its detection. Although the authors still offer some software solution: a background process can be launched on the device, which creates a load on the CPU that changes over time, which will lead to a change in the temperature of the device and subsequently its fingerprint. But this approach will affect the device's performance and battery life. The only sure way is to turn off Bluetooth completely, or even better, turn off the device completely.
Thus, a large number of Bluetooth devices can potentially be used to track their owners. At the same time, the accuracy of determining the location of a person depends on the number of listening devices; it can vary from simple determination of the location of the desired person in the room, as in the work about tracking with a digital fingerprint, to the precise positioning in the room, described in the introduction.
The scheme described above does not pose a direct threat of disclosing the exact location of the user, since all beacons work in transmitter mode, and the smartphone does not exchange data with them. And in the absence of an Internet connection, the smartphone will not even be able to send data to the Apple / Google servers to inform about the receipt of advertising packages.
Let's try to invert this scheme - now the user will have a special beacon with him that sends out packets that will be picked up by receivers in the room. By analyzing data from several receivers, you can calculate the user's location in the room, or at least determine his presence. The use of such systems, for example, is proposed for monitoring the elderly and persons with disabilities.
Staff are notified if a person with dementia leaves the facility.
But ordinary people don't walk around with Bluetooth beacons attached, so there is no threat of unauthorized tracking? Not really. The work mentioned above already indicates that ordinary sports bracelets (MiBand, Fitbit, etc.) are suitable as a beacon.
These devices work according to the Bluetooth Low Energy (BLE) standard. Often, smart devices have a limited set of control options, so they are constantly on, sending out advertising packages that allow other devices to detect them and initiate a connection. Advertisements contain the sender's MAC address field to enable the device to send a connection request. To exclude tracking of the user of a wearable device by capturing packets with a specific address, the BLE standard allows you to specify in advertising packages not a public static MAC address of the device, but a periodically updated randomly generated one.
Tracking by metadata in ad frames
However, research shows that, firstly, the distribution of advertising packages is not limited only to smart devices, advertising packages are sent by all modern devices if they have Bluetooth enabled. Secondly, despite the randomization of the address, most devices can be tracked by the content of other fields of the sent advertising packages.In their work, we have researched and developed an algorithm that allows continuous monitoring of devices sending out BLE advertising packets, even if they use address randomization. In this case, no interaction with the monitored device is required, just passive listening to Bluetooth channels and capturing the advertising packets sent by it.
Bluetooth Low Energy advertising package structure
Let's consider how the advertising package works (fig. 2). By analogy with packets of other network protocols, this one also consists of a preamble, header, payload and checksum.
a) The structure of the advertising package and its title.
b) Payload field structure (PDU Payload).
c) An example of the contents of the AD Structure field with device manufacturer information.
The header identifies the type of packet, and since researchers are only looking at packets of the same type, all headers have similar content and do not differentiate between devices. The researchers analyzed the part of the packet containing the payload (PDU Payload), the first six bytes of which contain the advertised address of the AdvA device. If the TxAdd flag in the packet header is one, the AdvA address is randomly generated, otherwise the device broadcasts its public static address.
The rest of the fields can contain data added by device manufacturers to implement their own protocols for connection initialization and data exchange over Bluetooth protocol procedures. It is the content of these fields that is the subject of the authors' research.
Algorithm for monitoring a changing address
To capture packets, researchers use SDR (software-defined radio), which listens to one of the Bluetooth-channels, then the captured packets are decoded into ASCII code and analyzed in accordance with the structure of the packet.The preparatory part of the algorithm's work consists of collecting an array of packets captured over a long period of time and sent by a certain category of devices. A device category is a somewhat abstract concept, we can say that it is determined by the manufacturer of the device, the installed OS, applications, etc. Analysis of the data array allows you to identify the so-called tokens - sequences of bytes that persist for some time inside an advertising package, which allow you to unambiguously identify the sender of this package. One of the tokens is the advertised MAC address of the device, although it can be randomized at regular intervals. Therefore, the task is to find tokens, the change of which does not occur synchronously, and the "lifetime" of which overlaps.
After finding the tokens inside the advertising packages of a certain category of devices, you can proceed to tracking a specific device. Now packets are captured by SDR in real time and decoded are fed to the input of the algorithm, initialized with the source address of the monitored device.
The algorithm extracts the required tokens and the advertised MAC address from the package contents, if the advertised address has not changed, but tokens have been updated or added, then you need to save them for further comparison with new packages. If at least one token has been preserved, but the rest and / or the device address have changed, then the corresponding data must be updated for subsequent comparison. Device tracking can stop if all tokens, including the device's MAC address, are updated at the same time.
Discovered tokens and other vulnerabilities
The devices considered in the study use the distribution of advertising packages in different ways, adding various data inside the payload:- Devices running Windows 10 send packets regardless of manufacturer, while 23 bytes from the Manufacturer data field, updated approximately once an hour, are presumably unique for each device at the current time, so they can be used in as a token ...
- macOS and iOS devices send out ad packets for the Handoff feature, which allows you to seamlessly switch between ecosystem devices. The tokens in this case are Apple metadata marked with handoff and nearby inside the payload.
- Although the tested Android smartphones send out advertising packages, they do not include any third-party data there, which makes them immune to this tracking method.
- The Fitbit Charge bracelet sends promotional packets when the smartphone signal is lost to initiate a reconnection. The peculiarity of this device is that despite the fact that the TxAdd flag in the packet header is equal to one, the MAC address of the device did not change over time, even after it was reset and reconfigured, thus it acts as a token with an infinite lifetime the address of the bracelet itself.
- The devices described above send advertising packets of type ADV_IND, which can be answered by any device. But Microsoft Surface Pen, when you press a button or detach from the magnetic mount on the case, sends advertising packets like ADV_DIRECT_IND, to which only the device with the address specified in the packet can respond. Interestingly, the stylus specifies the static public address of the Surface device as the target address, which leads to its disclosure and the ability to track the device in other ways.
Demonstration of the algorithm and results
An illustration of the operation of the algorithm for tracking the device address is shown, which shows how the values of the fields used as tokens change over time. It can be seen that at least one of the tokens retains its value despite the change in address, which allows us to determine the new address of the device.
An example of how the algorithm works for an iOS device. The first three address calculations were done using the handoff token saved, the last one using the nearby token. Different colors represent different field values.
The researchers' results can be summarized in the following table.
Device category
Average lifetime of a random address
Maximum tracking time
Address tracking method
Windows 10
16 minutes
Not limited
The proposed algorithm
macOS, iOS
20 minutes
53 minutes, possibly unlimited
The proposed algorithm
Android
15-45 minutes
No vulnerabilities
Fitbit Charge
The address does not change
Not limited
-
Microsoft Surface
16 minutes
Not limited
Address leak from Microsoft Surface Pen
Interestingly, this study was conducted before the outbreak of the COVID-19 pandemic, when Apple partnered with Google to create a framework for tracking contacts with sick people. The way tracking works relies on the distribution of BLE advertising messages with additional data about the user's status. Security researchers have found that the metadata in the packages is updated out of sync with the device address, which allows them to be used as a token for the above algorithm. The news indicates that only half of the tested smartphones are affected by the vulnerability.
RF Fingerprint Tracking
However, even if vulnerabilities like the ones described above are fixed, a group of researchers from the University of California, San Diego recently described a new method for tracking BLE devices. The new approach does not require analyzing the contents of packets, but relies only on the analysis of the physical characteristics of the signal emitted by the Bluetooth radio module of the monitored device.Tracking engine and results
The characteristics of each radio module are unique due to defects that occur during its manufacture. Without going into the details of the physical layer of the BLE standard, we can say that defects cause various types of distortions in the transmitted radio signal, this allows you to create a unique radio frequency fingerprint for each device, describing the distortion of a particular device.The researchers cite the following hypothetical tracking scenario. An attacker, being near the target device, processes outgoing BLE packets from it in order to collect enough data to create an RFID fingerprint. After creating the fingerprint, the attacker places a listening SDR near the victim's house to determine if the victim is indoors or not. The results of the experimental reproduction of the described scenario are shown in Fig. 4, during an hour, only one false alarm occurred, lasting 50 seconds, provided that the total number of detected devices during the experiment was about 30 pieces.
The result of determining the location of the target device inside the house.
a) The total number of detected devices.
b) The red bar is the target device detection result, the
blue bar is the actual location of the device inside the house.
Nuances of using a radio frequency fingerprint
The disadvantages of this method include that it requires deeper knowledge of signal processing using SDR, and the accuracy depends on the quality of SDR performance - cheap models require calibration. The quality of creating and recognizing a fingerprint depends significantly on the signal strength, while different devices emit a signal with different power and the surrounding space has a significant impact on the signal propagation. This technique makes it easy to distinguish the prints of chips from different manufacturers, but if it is necessary, for example, to detect the signal of a particular iPhone among other smartphones of the same model, then this will be much more difficult. Also, the temperature of the device affects the RF print, therefore, during active operation, the print may differ from that measured at rest. Researchers claimThe relevance of the described vulnerabilities and possible protection methods
Finally, let's check the relevance of the described vulnerabilities. With regard to tracking using metadata in advertising packages, news reports that for Windows 10 the vulnerability should have been fixed with the release of Windows 10 May Update (1903). In the fresh preprint. A study on the security of Apple wireless protocols by a team of researchers from the Technical University of Darmstadt indicated that a vulnerability that allows tracking Apple devices by metadata in ad packages has been fixed in the iOS 13.4 and macOS 10.15.4 releases. ... However, we could not find news about the fix of vulnerabilities associated with the lack of randomization of the sent MAC address for Fitbit devices, the leak of the public MAC address through the Surface Pen and the incorrect operation of the framework for monitoring contacts with COVID-19 patients. You can also notice that the market for wearable devices is not limited to bracelets from Fitbit, devices from other brands may also be susceptible to the vulnerabilities discussed.RFID fingerprint tracking cannot be corrected with software patches, since the fingerprint only includes the physical features of the device's radio. For protection, the researchers propose adding random fluctuations in the frequency of the oscillator of the radio module, which will complicate the creation of a fingerprint and its detection. Although the authors still offer some software solution: a background process can be launched on the device, which creates a load on the CPU that changes over time, which will lead to a change in the temperature of the device and subsequently its fingerprint. But this approach will affect the device's performance and battery life. The only sure way is to turn off Bluetooth completely, or even better, turn off the device completely.
Thus, a large number of Bluetooth devices can potentially be used to track their owners. At the same time, the accuracy of determining the location of a person depends on the number of listening devices; it can vary from simple determination of the location of the desired person in the room, as in the work about tracking with a digital fingerprint, to the precise positioning in the room, described in the introduction.
