Mobile devices, including phones, smartwatches, and fitness trackers, constantly transmit signals, known as Bluetooth beacons, at the rate of roughly 500 beacons per minute. These beacons enable features like Apple’s “Find My” lost device tracking service; COVID-19 tracing apps; and connect smartphones to other devices such as wireless earphones. Prior research has shown that wireless fingerprinting exists in Wi-Fi and other wireless technologies. The critical insight of the UC San Diego team was that this form of tracking can also be done with Bluetooth, in a highly accurate way.
Nishant Bhaskar, a Ph.D. student in the UC San Diego Department of Computer Science and Engineering and one of the paper’s lead authors, explained the threat’s severity.
“This is important because in today’s world Bluetooth poses a more significant threat as it is a frequent and constant wireless signal emitted from all our personal mobile devices.”
How Bluetooth tracking works
All wireless devices have small manufacturing imperfections in the hardware that are unique to each device. These fingerprints are an accidental byproduct of the manufacturing process. These imperfections in Bluetooth hardware result in unique distortions, which can be used as a fingerprint to track a specific device. For Bluetooth, this would allow an attacker to circumvent anti-tracking techniques such as constantly changing the address a mobile device uses to connect to Internet networks.
Tracking individual devices via Bluetooth is not straightforward. Prior fingerprinting techniques built for Wi-Fi rely on the fact that Wi-Fi signals include a long-known sequence, called the preamble. But preambles for Bluetooth beacon signals are extremely short.
Instead, the researchers designed a new method that doesn’t rely on the preamble but looks at the whole Bluetooth signal. They developed an algorithm that estimates two different values found in Bluetooth signals. These values vary based on the defects in the Bluetooth hardware, giving researchers the device’s unique fingerprint.
Real-world experiments
The researchers evaluated their tracking method through several real-world experiments. In the first experiment, they found 40% of 162 mobile devices seen in public areas, for example coffee shops, were uniquely identifiable. Next, they scaled up the experiment and observed 647 mobile devices in a public hallway across two days. The team found that 47% of these devices had unique fingerprints. Finally, the researchers demonstrated an actual tracking attack by fingerprinting and following a mobile device owned by a study volunteer as they walked in and out of their house.
Challenges to tracking Bluetooth fingerprints
Although their finding is concerning, the researchers also discovered several challenges that an attacker will face in practice. Changes in ambient temperature for example, can alter the Bluetooth fingerprint. Certain devices also send Bluetooth signals with different degrees of power, and this affects the distance at which these devices can be tracked.
Researchers also note that their method requires an attacker to have a high degree of expertise, so it is unlikely to be a widespread threat to the public today.
Despite the challenges, the researchers found that Bluetooth tracking is likely feasible for many devices. It also does not require sophisticated equipment: the attack can be performed with equipment that costs less than $200.
How to avoid Bluetooth trackers
So how can the problem be fixed? Fundamentally, Bluetooth hardware would have to be redesigned and replaced. But the researchers believe that other, easier solutions can be found. The team is currently working on a way to hide the Bluetooth fingerprints via digital signal processing in the Bluetooth device firmware.
Researchers are also exploring whether the method they developed could be applied to other types of devices. “Every form of communication today is wireless, and at risk,” said Dinesh Bharadia, a professor in the UC San Diego Department of Electrical and Computer Engineering and one of the paper’s senior authors. “We are working to build hardware-level defenses to potential attacks.”
Researchers noticed that just disabling Bluetooth may not necessarily stop all phones from emitting Bluetooth beacons. For example, beacons are still emitted when turning off Bluetooth from the control center on the home screen of some Apple devices. The only way to completely turn off Bluetooth signals is too turn off the phone or place it inside a Faraday bag.
