A team of engineers from the University of California, San Diego, has shown for the first time that the Bluetooth signals emitted by our phones have a unique fingerprint that can be used to track individuals’ movements.
Mobile devices, such as phones, smartwatches, and fitness trackers, constantly transmit Bluetooth beacon signals at a rate of about 500 beacons per minute.
These beacons enable features such as Apple’s “Find My” lost device tracking service, COVID-19 tracing apps, and connectivity between smartphones and other devices such as wireless earphones. Prior research has revealed the existence of wireless fingerprinting in WiFi and other wireless technologies. The UC San Diego team discovered that this type of tracking can also be accomplished using Bluetooth.
“This is important because in today’s world Bluetooth poses a more significant threat as it is a frequent and constant wireless signal emitted from all our personal mobile devices,”
said Nishant Bhaskar, a Ph.D. student in the UC San Diego Department of Computer Science and Engineering and one of the paper’s lead authors.
The team of researchers from the Departments of Computer Science and Engineering and Electrical and Computer Engineering presented their findings on May 24, 2022, at the IEEE Security & Privacy conference in Oakland, California.
All wireless devices have minor manufacturing flaws in the hardware that make each device unique. These fingerprints are an unintended consequence of the manufacturing process. These flaws in Bluetooth hardware cause distinct distortions that can be used as a fingerprint to track a specific device. In the case of Bluetooth, this would allow an attacker to get around anti-tracking measures such as constantly changing the address a mobile device uses to connect to Internet networks.
It is difficult to track individual Bluetooth devices. Prior WiFi fingerprinting techniques rely on the fact that WiFi signals contain a long known sequence called the preamble. However, Bluetooth beacon signal preambles are extremely brief. “Because of the short duration, previous techniques are ineffective for Bluetooth tracking,” said Hadi Givehchian, a UC San Diego computer science Ph.D. student and lead author of the paper.
Instead, the researchers devised a new method that does not rely on the preamble and instead examines the entire Bluetooth signal. They created an algorithm for estimating two different values found in Bluetooth signals. These values vary depending on Bluetooth hardware flaws, providing researchers with the device’s unique fingerprint.
Experiments in real life
Several real-world experiments were conducted by the researchers to evaluate their tracking method. In the first experiment, they discovered that 40% of 162 mobile devices seen in public places, such as coffee shops, were uniquely identifiable. They then expanded the experiment and observed 647 mobile devices in a public hallway over the course of two days. The researchers discovered that 47 percent of these devices had unique fingerprints. Finally, the researchers demonstrated an actual tracking attack by fingerprinting and following a study volunteer’s mobile device as it walked in and out of their house.
Although their discovery is concerning, the researchers also discovered a number of difficulties that an attacker will face in practice. Temperature changes, for example, can affect the Bluetooth fingerprint. Certain devices also send Bluetooth signals with varying degrees of power, which influences how far these devices can be tracked. Researchers also point out that their method requires a high level of expertise from an attacker, so it is unlikely to be a widespread threat to the public today.
Despite the difficulties, the researchers discovered that Bluetooth tracking is likely feasible for a wide range of devices. It also does not necessitate sophisticated equipment: the attack can be carried out with equipment costing less than $200.
Next Steps and Solutions
So, what’s the best way to address the issue? Bluetooth hardware would need to be rebuilt and updated from the ground up. However, the researchers feel that there are other, more straightforward options available. The team is presently developing a method to conceal Bluetooth fingerprints in Bluetooth device firmware via digital signal processing.
Researchers are now looking at whether their technology may be used on other sorts of gadgets. “Today, every kind of communication is wireless, and every type of communication is in danger,” said Dinesh Bharadia, a professor at the UC San Diego Department of Electrical and Computer Engineering and one of the paper’s senior authors. “We’re focusing on hardware-based safeguards against possible threats.”
Researchers discovered that just turning off Bluetooth does not always prevent all phones from broadcasting Bluetooth beacons. When turning off Bluetooth from the control center on the home screen of some Apple products, for example, beacons are still sent.
“As far as we know,” Bhaskar added, “the only thing that would certainly deactivate Bluetooth beacons is turning off your phone.” Even while researchers can track specific devices, they are unable to gather any information about the devices’ owners, according to the researchers.