Security researchers discovered a bluetooth security flaw in devices running Windows 10 and iOS. Read on to know more about it…
A team of Boston University researchers has discovered a vulnerability in several modern, high-profile Bluetooth devices that can make location and other sensitive data available to third parties. The flaw in the Bluetooth communication protocol can allow attackers to eavesdrop on users’ devices. The flaw impacts machines running on Windows 10 and iOS operating systems.
The Security Flaw
The security flaw can be used to spy on users’ devices and collect their locations and IDs despite the native OS protections. The Bluetooth vulnerability affects iPhones, iPads, Apple Watch models and Microsoft tablets & laptops.
In a research paper titled Tracking Anonymized Bluetooth Devices, researchers David Starobinski and Johannes Becker have revealed that the Bluetooth vulnerability affects iPhones, iPads, Apple Watch models, and Microsoft tablets and laptops. The flaw can be used to spy on users’ devices and collect their locations and IDs despite the native OS protections.
According to researchers, many Bluetooth devices use MAC addresses while advertising their presence to prevent long-term tracking. However, this feature can be abused to circumvent the randomization of these addresses to permanently monitor a specific device.
The researchers had successfully managed to exploit the thing by creating a new algorithm called an address-carryover algorithm. The algorithm is able to “exploit the asynchronous nature of payload and address changes to achieve tracking beyond the address randomization of a device.”
“The algorithm does not require message decryption or breaking Bluetooth security in any way, as it is based entirely on public, unencrypted advertising traffic,” the research paper reads.
During the experiment, the researchers had set up a testbed of Apple and Microsoft devices to analyze BLE advertising channels. Over a period of time, they had managed to collect advertising files and log files. They were also able to gather elicit data structures which revealed device ID tokens.
Researchers discover a third-party algorithm in multiple high-profile Bluetooth devices exposes users to third-party tracking and data access. Bluetooth Low Energy (BLE), a fairly recent variant of Bluetooth, uses nonencrypted advertising channels to announce a device’s presence to other Bluetooth devices. The use of these public channels initially sparked privacy concerns; to address those, devices may use a randomized, periodically changing address instead of their permanent Media Access Control (MAC) address. Manufacturers can decide when, and how often, to randomize the unique address of a device.
It’s a new feature Bluetooth LE introduced to prevent tracking,” says Becker. Because BLE lets devices continuously broadcast their presence, randomization is intended to ensure third parties don’t track a single address. But researchers found an oversight in this methodology that would allow attackers to track the device type or other data from a manufacturer. Even as randomization changes the device’s address, some identifiers of a device don’t change with it.
When two Bluetooth devices connect, the “central” device — an iPhone, for example — scans for signals sent by a peripheral device to see if it’s available to connect. These signals, or advertisements, contain the device’s random address and information about the connection. Researchers found this data updates at a different rate than the random address; as a result, attackers could potentially detect a pattern in the communication between Bluetooth devices.