Mobile devices that use Bluetooth are vulnerable to a bug that could allow hackers to access the user’s location, according to a new study.
The research focused on Bluetooth Low Energy (BLE), a type of Bluetooth that uses less energy than classic Bluetooth – a type invented earlier. Billions of people rely on this type of wireless communication for all kinds of activities through smart watches and smartphones.
However, due to a design flaw in the Bluetooth protocol, users’ privacy could be at risk, said Yue Zhang, lead author of studied and Postdoctoral Researcher in Computer Science and Engineering at The Ohio State University, USA.
How is the privacy of a user’s data breached?
Zhang recently presented the findings at the ACM Conference on Computer and Communications Security (ACM CCS 2022). The study also received an honorable mention for “best paper” at the conference.
Bluetooth devices have what are called MAC addresses – a string of random numbers that uniquely identify devices on a network. Once every 20 milliseconds, an idle BLE device sends a signal announcing its MAC address to other nearby devices with which it might connect.
The study identifies a flaw that could allow attackers to observe how these devices interact with the network, and then collect and analyze the data to breach a user’s privacy.
“This is a new discovery, which no one has noticed before. We demonstrate that by transmitting a MAC address to the location of the device, hackers can know when you are in the area,” said Zhang.
The measures taken previously proved ineffective
One of the reasons researchers are concerned about such a scenario is that an accessed MAC address could allow the hacker to monitor the user’s behaviors, track where the user has been in the past, or even find out the user’s real-time location.
“The Bluetooth SIG was certainly aware of the threat of MAC address tracking, and to protect devices from being tracked by bad actors, a workaround has been in place since 2010,” Lin said, according to TechXplore.
Later in 2014, Bluetooth introduced a new feature called “allowlist”, which does exactly that – it only allows approved devices to connect and prevents private devices from accessing unknown devices. But according to the study, this feature actually introduces a secondary channel for device tracking.
The discovery shows how a hacker can access user data
Zhang and Lin proved that the new threat is real by creating a new attack strategy they called Bluetooth Address Tracking (BAT). The researchers used a customized smartphone to break into more than 50 Bluetooth gadgets – most of them their own devices – and showed that by using BAT attacks, an attacker could still link and play the victim’s data.
For now, BAT’s attacks are unbeatable, but the team has created a prototype of a defensive measure. named Securing Address for BLE (SABLE), their solution involves adding an unpredictable sequence number to the targeted address to ensure that each MAC address can only be used once. The study noted that it was able to successfully prevent attackers from connecting to the victim’s devices.
The results of the experiment showed that SABLE only slightly affects the battery consumption and the overall performance of the device.