Researchers in Bluetooth IoT Privacy Warning

Written by

Security researchers are warning that privacy issues in the Bluetooth Low Energy (BLE) protocol could make users’ smart devices easily trackable from potentially long distances.

Context Information Security announced the findings of new research in a post at the end of last week.

In just half an hour hanging around Canary Wharf Underground station, the team used a specially built proof-of-concept Android app to spot 149 devices, including 26 FitBits, two Jawbones, two Nike products and “a lot of iPhones.”

The problem lies with the fact that although most BLE-supporting smart devices have a ‘random’ MAC address, that address is often fixed, making it easy to identify and track.

BLE was designed for apps which need to constantly beam out signals without running the battery down, with said packets sometimes even containing the device or user’s name, Context claimed.

This isn’t just a privacy risk but could be used by attackers to help with social engineering as part of a targeted cyber attack, or even for a ‘physical’ crime if a criminal knew a victim’s movements, the firm said.

What’s more, although the range of these devices is around 100 meters, with a “high gain directional antenna” it was possible to detect Bluetooth packets at half a mile, the report claimed:

“If I have an easy way to scan for these devices, and can attribute a device to a particular person such as a celebrity, your CEO or the police officer leading an investigation against your company, then I can easily tell when they’re nearby. Many of the available fitness trackers are waterproof and measure sleep, so there’s no need to ever take them off.”

Context also raised concerns about the use of iBeacons – used by retailers, airline providers and other firms to beam out information via BLE in a constant stream to customers walking by who have a related app on their device.

However, the protocol could become far more intrusive if phone manufacturers begin to ship devices with selected iBeacon apps pre-installed. This means they could start spamming out location-based sales and marketing messages ad nauseam, the report claimed.

“Most of what we found is not a bad implementation or mistake, but is inherent to how BLE works. In their designs, the vendors have prioritised the ease of pairing. BLE devices need to broadcast their presence constantly so that they can be detected by the paired smartphone,” researcher Scott Lester told Infosecurity.

“That said, vendors could do more to anonymise devices, for example by not allowing the user to name the device, or by implementing some of the measures in the latest version of the protocol to obscure the device address.”

What’s hot on Infosecurity Magazine?