Bluetooth Devices Can Covertly Track Mobile Users

Over the past few years, mobile devices have become extremely useful in engaging users for streaming and other purposes over the Bluetooth Low Energy (BLE) protocol and this is a significant privacy risk.

Indeed, a new research study investigates how your smartphone or laptop gives off unique Bluetooth radio signals that can be identified and used to track your device's location.  

Using Bluetooth signals generated by smartphones, security researchers at the University of California San Diego have developed a method of identifying and tracking users via their smartphones.

“Mobile devices increasingly function as wireless tracking beacons. Using the Bluetooth Low Energy (BLE) protocol, mobile devices such as smartphones and smartwatches continuously transmit beacons to inform passive listeners about device locations for applications such as digital contact tracing,” says the University’s research report .

“The mobile devices we carry every day, such as smart- phones and smartwatches, increasingly function as wireless tracking beacons. These devices continuously transmit short- range wireless messages using the Bluetooth Low Energy (BLE) protocol.”

During the team’s research they discovered that Bluetooth signals, which are continuously being sent by phone, have a unique fingerprint that can be identified.

In addition, they also raised concerns that hackers could exploit this technology in order to track the locations of a target. As a result of this new technique, the current safeguards against telephone stalking could be bypassed easily.

Bluetooth is becoming more and more of a problem in the modern world because it is not only a wireless signal that emits a multitude of signals but also an ongoing one that is emitted continuously from smart devices. WiFi and other wireless technologies are used to do wireless fingerprinting, and this is not a new concept. In all three cases, a WiFi signal depends on its preamble to perform the operation.

Due to the very short preamble of Bluetooth beacons, this technique has historically been unable to provide accurate fingerprinting results.

As a result of this new technique, Bluetooth beacons can be tracked and the unique fingerprint of a target device can be identified. As part of their experiments, the researchers have tested out this new tracking method in real-world situations as well. Initial experiments were conducted on a small scale, where 40% of the total number of mobile devices (162) found in a public area were uniquely identified.

There are many smartphones and other devices that can be targeted by such an attack. A typical attack of this kind will require around $200 worth of equipment and can be conducted on a wide range of gadgets.

In addition, the researchers noted that even when Bluetooth is turned off on a device, the device would emit Bluetooth beacons regardless. In order to stop the beacon from being broadcasted, the beacon itself must be turned off.

The Bluetooth hacks that have been made public in recent months have also exposed a number of other high-profile attacks.The NCC Group findings on BLE hacks in May led researchers to conclude that criminals might be able to unlock and steal Tesla cars if they were using this hack. What this means is that if we have our Bluetooth constantly on and constantly broadcasting, we need to be aware what other apps on our phone are using this information, what permissions they have been granted and how this could benefit commercial tracking which uses Bluetooth technology.

It's likely that you might be able to disable Bluetooth signal "beaconing" by turning off Find My in your Apple account. But that takes away one of the benefits of owning an Apple device. 

Ultimately, the researchers conclude that tracking people via BLE can be done, and some people are more vulnerable than others, depending on conditions and the commonness or uniqueness of the device targeted.

UC San Diego:     BLEMobileApps:    Privacy International:     Cybersecurity News:   

Quora:     Toms Guide:    The Register

You Might Aso Read: 

NSA Warning - Avoid Public Wi-Fi:

 

« CISA Detects Many New Cyber Security Vulnerabilities
Channel 4 TV Launches New Cyber Thriller »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

National Cyber Directorate Israel

National Cyber Directorate Israel

The Israeli National Cyber Directorate provides incident handling services for civilian entities and critical infrastructures and works to increase national resilience against cyber threats.

Avatu

Avatu

Avatu specialise in providing clients the advice, technology and tools they need to fight cyber and insider threats.

Jumpsec

Jumpsec

Jumpsec provides penetration testing, security assessments, social engineering testing, cyber incident response, training and consultancy services.

TUV Sud

TUV Sud

TÜV SÜD is a leading technical service organisation. We specialize in testing, certification, auditing, training, and advisory services for different industries.

BCS Financial

BCS Financial

BCS Financial delivers financial and insurance solutions. Specialty risk products include Cyber and Privacy Liability insurance.

MerlinCryption

MerlinCryption

MerlinCryption develops infrastructure security software, delivering advanced encryption, authentication, and random data generators, for Cloud, VoIP, eCommerce, M2M, and USB hardware.

Semperis

Semperis

Semperis is an enterprise identity protection company that enables organizations to quickly recover from accidental or malicious changes and disasters that compromise Active Directory.

IBA Security

IBA Security

IBA Security is a center of competence consolidating the cybersecurity expertise of the IBA Group.

Mosaic 451

Mosaic 451

Mosaic451 is a bespoke IT managed services provider and consultancy specializing in information security, operations and design.

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI) is an independent, global think-tank. We bring together the world’s top global researchers to undertake ground-breaking research on blockchain technology.

InfoSec Conferences

InfoSec Conferences

InfoSec Conferences is an online directory of infosec conferences. We list every single Information Security conference, event and seminar within every niche in Cybersecurity.

Amnesty Tech

Amnesty Tech

Amnesty Tech's Security Lab leads technical investigations into cyber-attacks against civil society and provides critical support when individuals face such attacks.

Sencode Cyber Security

Sencode Cyber Security

Sencode provides a range of IT security solutions and services, including penetration testing and cyber awareness training to help mitigate the growing risks to your corporate infrastructure.

Cyera

Cyera

Cyera is the data security company that gives businesses context and control over their most valuable asset: data.

Lithuanian Cyber Command (LTCYBERCOM)

Lithuanian Cyber Command (LTCYBERCOM)

The Lithuanian Cyber Command is responsible for planning and execution of operations in cyberspace and installation of strategic and operational communications and information systems.

DOT Security

DOT Security

DOT Security provides advanced security services for businesses of all sizes.