Researchers say a flaw in the Bluetooth communication of many devices is leaving iOS, Microsoft, and fitness wearable users open to tracking.
Devices susceptible to the flaw include popular Apple gadgets like iPads, and iPhone‘s Apple watches as well as Microsoft products and wearable like Surface tablets, laptops, and FitBits.
‘Basically everybody is carrying around a Bluetooth device nowadays in some way, shape, or form, and that makes it very relevant,’ said Johannes Becker, a Boston University graduate researcher on the team, in a statement.
Bluetooth devices like iPhone’s and Microsoft tablets can be tracked by intercepting Bluetooth signals according to researchers. File photo
HOW CAN YOU BE TRACKED VIA BLUETOOTH?
Researchers say a vulnerability in Bluetooth communication may expose users to spying.
The flaw affects users of iOS devices like Apple Watches and iPhones as well as Microsoft tablet owners.
FitBits are among the most vulnerable devices say researchers as they make no attempt to randomize communications.
To help avoid being tracked researchers say you should turn your Bluetooth off when not in use.
This does not apply to FitBit’s and Smart Pens which remain vulnerable at all times.
According to a paper published by the security researchers from Boston University, the exploit focuses on the way devices pair with one another.
Usually, when pairing a device to an external Bluetooth, one end — the main device — acts as a primary connection while the other plays a tertiary role.
The tertiary device sends out a signal — similar to an IP address — that contains data about the connection.
By design, that connection is supposed to be a random address that reconfigures itself, meant to protect a users’ identity, however, by using a ‘sniffer’ program –a public software that scans for Bluetooth connections– researchers were able to ID devices even after addresses changed.
‘Most computer and smartphone operating systems do implement address randomizations by default as a means to prevent long-term passive tracking,’ reads the paper.
‘However, we identified that devices running Windows 10, iOS or macOS regularly transmit advertising events containing custom data structures which are used to enable certain platform-specific interaction with other devices within BLE range.’
These ‘advertising events’ can be used to uniquely identify devices say researchers.
Compounding the vulnerability is the fact that the information transmitted between devices is not encrypted, rather related in plain text.
This means data doesn’t need to be hacked, rather it can be identified using public information scraped behind the scenes.
Android devices were not able to be tracked according to researchers, due to a difference in the way the devices communicate with their Bluetooth partner, but iOS, Microsoft, and especially FitBit devices were susceptible.
‘What surprised me the most was discovering a vulnerability with the Fitbit activity trackers,’ says BU senior David Li in a statement.
Devices susceptible to the flaw include popular Apple gadgets like iPads, and iPhone’s Apple watches as well as Microsoft products and wearable like Surface tablets, laptops, and FitBits. Stock image
‘Restarting the device or draining its battery did not change its access address. This was completely unexpected. If the Fitbit’s access address never changes, then an adversary could potentially track a Fitbit owner.’
Though there’s technically no leaked data in the vulnerability, researchers fear that the flaw could enable stalking, abuse, or spying.
Luckily, there is a relatively easy fix that users can employ right on their own devices and it involves simply turning Bluetooth off when it’s not in use.
This, they note, does not apply to smart device’s like FitBits or SmartPens, however, which don’t update or hide their addresses.
Though the flaw isn’t as critical as some vulnerabilities, the documentation represents a ‘food for thought’ piece of the security puzzle, say researchers.
‘There are tons of ways to track people, with or without Bluetooth,’ says Becker in a statement.
‘It’s always good to be aware of the kind of signals you’re sending out, especially in the age of [Internet of Things].’