A Bluetooth flaw has been discovered that would allow a bad actor to track a wide range of devices — including iPhones, iPads, Macs, and Apple Watches.
Other vulnerable devices are laptops and tablets running Windows 10, and Fitbit wearables. Android devices are, however, not at risk …
TNW reports on the vulnerability discovered by Boston University researchers.
Researchers from Boston University (BU) have discovered a flaw in the Bluetooth communication protocol that could expose most devices to third-party tracking and leak identifiable data […]
The vulnerability allows an attacker to passively track a device by exploiting a flaw in the way Bluetooth Low Energy (BLE) is implemented to extract identifying tokens like the device type or other identifiable data from a manufacturer […]
To make pairing between two devices easy, BLE uses public non-encrypted advertising channels to announce their presence to other nearby devices. The protocol originally attracted privacy concerns for broadcasting permanent Bluetooth MAC addresses of devices — a unique 48-bit identifier — on these channels.
However, BLE tried to solve the problem by letting device manufacturers use a periodically changing, randomized address instead of their permanent Media Access Control (MAC) address.
The vulnerability discovered by BU researchers exploits this secondary random MAC address to successfully track a device. The researchers said the “identifying tokens” present in advertising messages are also unique to a device and remain static for long enough to be used as secondary identifiers besides the MAC address.
In other words, it’s possible to link the current random address to the next one, and thus identify it as the same device. It can then be tracked indefinitely — though only at the relatively short range of Bluetooth signals.
The researchers do have a proposed solution for the security problem……Read More>>