Researchers from the University of California San Diego have shown in a new paper how Bluetooth signals can be used to identify and track smartphones.
The research team found that Bluetooth Low Energy (BLE) signals, which are constantly broadcast by mobile devices, generate a unique fingerprint. This is then exploited by attackers to track the movements of individuals.
Devices such as smartphones, smartwatches and fitness trackers constantly send out signals, known as Bluetooth beacons, at a rate of about 500 beacons per minute. These beacons enable features such as Apple’s “Find My” lost device tracking service; COVID-19 detection apps; AirTag, and connect smartphones to other devices, such as wireless earphones.
Previous research has shown that wireless fingerprints are present in wireless technologies such as Wi-Fi. However, the UC San Diego team has emphasized that this kind of tracking can also be done with Bluetooth, in a very precise way.
“This is important because in today’s world, Bluetooth poses a greater threat because it is a frequent and constant wireless signal broadcast by all of our personal mobile devices,” said Nishant Bhaskar, a Ph.D. student in the UC San Diego Department of Computer Science and Engineering and one of the lead authors of the paper.
It should be noted that all of the above wireless devices have minor manufacturing defects in the Bluetooth hardware, which are unique to each device. As a result, there are chances of fingerprints on these devices.
For Bluetooth, this would allow an attacker to bypass anti-tracking techniques, such as constantly changing the address a mobile device uses to connect to Internet networks. This is not exactly an easy process.
Previous fingerprint techniques built for Wi-Fi were based on a long-known sequence called the preamble. However, the preambles for Bluetooth beacon signals are extremely short.
“The short duration gives an imprecise fingerprint, making previous techniques unhelpful for Bluetooth tracking,” said Hadi Givehchian, also a Ph.D. student and a lead author on the paper.
The new method designed by the UC San Diego team does not rely on the preamble, but looks at the entire Bluetooth signal using a computer algorithm, which estimates two different values found in Bluetooth signals. Depending on the flaws in the Bluetooth hardware, the values vary and the researchers reveal each device’s unique fingerprint.
Real world experiments and challenges
The researchers conducted initial experiments to test their tracking method in field experiments. In the first experiment, they found that 40% of the total number of mobile devices (162) in public places such as coffee shops were uniquely identifiable.
The team also conducted a large-scale experiment in which they observed 647 mobile devices in a public hallway over two days and found unique fingerprints on 47% of them. In another test, they demonstrated an actual tracking attack by taking fingerprints and tracking a research volunteer’s mobile device as they walked in and out of their home.
The researchers also discovered several challenges that an attacker faces in practice. For example, changes in ambient temperature can alter the Bluetooth fingerprint. Also, some devices transmit Bluetooth signals with different powers, which affects the distance at which these devices can be tracked.
Despite several challenges, the researchers point out that this method also needs “a high degree of expertise” to track a Bluetooth signal. This means it is unlikely to be a widespread threat to the general public today. They also stressed that while you can track individual devices, the device owner’s information cannot be tracked.
“In modern society, Bluetooth, the wireless signal often broadcast by all personal mobile devices, poses a greater threat,” says Bhaskar.
Researchers noted that turning off Bluetooth does not necessarily prevent all cellphones from broadcasting Bluetooth beacons. For example, if you turn off Bluetooth from the Control Center on the home screen of some Apple devices, the beacon will not stop broadcasting.
“As far as we know, the only way to ensure that the Bluetooth beacon is turned off is to turn off the mobile phone,” Bhaskar concluded.
The Bluetooth signal tracking article titled “Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices” was recently presented at the IEEE Security & Privacy conference in San Francisco, California, on May 24, 2022.