Bluetooth Vulnerability Allows Tracking of Windows 10, iOS, and macOS Users

By Ava McKinneyOnline Safety

Bluetooth Vulnerability Enables Tracking of Windows 10, iOS, and macOS Users

A vulnerability in the Bluetooth data transmission protocol can be exploited to track users of modern devices, according to researchers from Boston University, David Starobinski and Johannes Becker. The issue affects Bluetooth-enabled devices running Windows 10, iOS, and macOS, including iPhones, iPads, Apple Watches, MacBooks, and Microsoft laptops and tablets. The vulnerability can be exploited even with built-in operating system security features enabled.

How the Vulnerability Works

According to the study titled “Tracking Anonymized Bluetooth Devices,” many Bluetooth-enabled devices use randomized MAC addresses when broadcasting their presence to prevent long-term tracking. However, the researchers discovered a way to bypass MAC address randomization and continuously track specific devices.

To achieve this, the researchers developed an algorithm that does not require decrypting messages or breaking Bluetooth security. Their research focused on the BLE (Bluetooth Low Energy) protocol, introduced in 2010 and implemented in Bluetooth 5. They conducted experiments using devices running Windows 10, iOS, and macOS, a special version of the BTLE software package, and a traffic interception tool. Over a period of time, they collected broadcast (advertisement) data and log files, which allowed them to identify device identifiers.

Findings and Implications

“In most operating systems for computers and mobile devices, address randomization is enabled by default to prevent long-term tracking, since permanent identifiers are not transmitted during broadcast. However, we found that devices running Windows 10, iOS, or macOS continuously send advertising packets containing data used for interaction with other devices within BLE range,” the researchers noted.

It is important to note that the technique developed by the researchers does not affect Android devices, as this operating system does not send advertising packets as regularly as devices running Windows, iOS, and macOS.

Source

  • Original research: “Tracking Anonymized Bluetooth Devices” by David Starobinski and Johannes Becker, Boston University

Leave a Reply