Skip to content
Researchers warn Bluetooth signals can be used to track device owners via a unique fingerprinting of the radio signal. The technique was presented via a paper presented at IEEE Security & Privacy conference last month by researchers at the University of California San Diego.
The paper suggested that minor manufacturing imperfections in hardware are unique with each device, & cause measurable distortions which can be used as a “fingerprint to track a specific device.”
Radio Sniffer
“To perform a physical-layer fingerprinting attack, the attacker must be equipped with a Software Defined Radio sniffer: a radio receiver capable of recording raw IQ radio signals,” stated researchers in a paper (PDF) titled “Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices.”
Gadgets – e.g. smartwatches, fitness trackers, & smartphones transmit a signal called Bluetooth beacons with an average rate of 500 beacons per minute. These constantly transmitting signals enable the functionality for lost device tracking & COVID-19 tracing apps.
Highly Accurate
The critical insight from the researchers is that Bluetooth can also be used for tracking “in a highly accurate way,” as the previously known wireless fingerprints use to track Wi-Fi & other wireless technologies.
“This is important because in today’s world Bluetooth poses a more significant threat as it is a frequent and constant wireless signal emitted from all our personal mobile devices,” wrote co-author Nishant Bhaskar, a Ph.D. student at UC San Diego.
How Tracking Works
For Wi-Fi, the fingerprint techniques are based on the long string called “preamble,” Bluetooth beacon signals cannot be tracked in the same way because the preamble used is shorter in comparison to Wi-Fi signals.
“The short duration gives an inaccurate fingerprint, making prior techniques not useful for Bluetooth tracking,” wrote co-author Hadi Givehchian, a Ph.D. student at UC San Diego, California.
Algorithm
A new method was designed by the researcher that “doesn’t rely on the preamble” but focuses on the complete Bluetooth signal. The algorithm estimates 2 values. The 2 values are CFO (carrier frequency offset) & I/Q in the BLE signal.
Researchers observed that each varies according to the slight difference in the devices. Then, the imperfections for each packet are calculated by the Mahalanobis distance, and the results determined “how close the features of the new packet” is in comparison to previously recorded fingerprint.
Mahalanobis
Mahalanobis is a technical term described by Wikipedia as: “The Mahalanobis distance is a measure of the distance between a point P & a distribution D, introduced by P. C.”
Researchers continued, explaining; “The MAC address of every BLE device is stable for a limited duration of time, we can receive multiple packets that we know belong to the same BLE device,” the researcher explained. The average of multiple packets can be used to increase identification accuracy.
Real World
The scientist evaluates the results through several ‘real-world’ experiments. Initially, they found 40% discrete signals out of 162 devices in public. Another scaled-up experiment includes 647 devices “in a public hallway across 2 days” and found 47% unique fingerprints.
Factors such as changes in ambient temperature can alter the Bluetooth beacon, as well as the power ratio for different devices affects the distance up to which these devices can be tracked.
The researchers claim that despite these barriers, a large number of devices can be tracked & do not require sophisticated equipment, “the attack can be performed with equipment that costs less than $200.” the researcher noted.
Solutions
At core level, Bluetooth hardware devices have to be redesigned, but the researcher working on an easier solution. The team planned to hide the Bluetooth fingerprints “via digital signal processing in the Bluetooth device firmware”
Also, the team is exploring the possibility that whether the inducing method can be implemented in other devices.
“Every form of communication today is wireless, & at risk, we are working to build hardware-level defences to potential attacks,” wrote co-author Dinesh Bharadia, a Professor at the UC San Diego in California.
“Overall, we found that BLE does present a location tracking threat for mobile devices. However, an attacker’s ability to track a particular target is essentially a matter of luck,” the researcher concluded.
