A recently discovered Bluetooth exploit for a communication protocol security vulnerability could potentially allow the bad guys to track and identify devices from both Apple and Microsoft.
New research from Boston University [PDF] says Apple’s Mac, iPhone, iPad, and Apple Watch are all affected, as well as Microsoft tablets and laptops. Android devices are not affected by the flaw.
The research paper outlines how Bluetooth devices use public channels to announce their presence to other devices. While most devices prevent tracking by broadcasting a randomized address that periodically changes rather than a Media Access Control (MAC) address, researchers have discovered that it is possible to extract identifying tokens that allow tracking of the device even when the random address changes.
We present an online algorithm called the address-carryover algorithm, which exploits the fact that identifying tokens and the random address do not change in sync, to continuously track a device despite implementing anonymization measures. To our knowledge, this approach affects all Windows 10, iOS, and macOS devices.
The algorithm does not require message decryption or breaking Bluetooth security in any way, as it is based entirely on public, unencrypted advertising traffic.
The tracking method has the potential to allow identity-exposing attacks, allowing for “permanent, non-continuous tracking.” In addition, an iOS side-channel “allows insights into user activity.”
iOS or macOS devices have two identifying tokens (nearby, handoff) which change in different intervals. In many cases, the values of the identifying tokens change in sync with the address. However, in some cases the token change does not happen in the same moment, which allows the carry-over algorithm to identify the next random address.
Android devices don’t advertise their presence the same way as Apple and microsoft devices, so they are immune to the tracking methods described in the paper.
At this point, no one knows if any bad actors have tracked any Apple or Microsoft devices using the method in the research paper. Especially since the method described would be undetectable, since it doesn’t require breaking Bluetooth security.
Considering the paper offers recommendations as to how to fix the Bluetooth exploit, Apple and Microsoft device users will hopefully soon see patches for the issue.