A recent flaw found in Bluetooth can be used to track Bluetooth devices, which mostly include phones, laptops and other devices by Microsoft and Apple (both iOS and macOS).
As per a research paper published by researchers from Boston University, the vulnerability can be used to track users and can also be exploited to leak user data.
How does it work?
Bluetooth-enabled devices use non-encrypted advertising channels to establish a connection with other Bluetooth devices. To prevent tracking on these non-encrypted channels, devices tend to use randomized and changing addresses instead of the permanent MAC address. This very process makes the devices prone to tracking.
The flaw arises from the fact that identifying tokens and random MAC addresses don’t change in sync. To prove this, the researchers used an “address-carryover algorithm” that exploits the asynchronous nature of the payloads and identifies tokens from the payloads of the advertising messages.
This allows the algorithm to uncover the anonymity of the devices in broadcasting channels.
The study was conducted on Bluetooth Low Energy (BLE) specification, which is found in the latest Bluetooth 5 standard. It uses random addresses instead of permanent MAC address, as opposed to previous Bluetooth versions (where it was static).
The most frightening part of this flaw is that the algorithm doesn’t need to break into Bluetooth security or use the advertising message decryption to track the devices.
One thing worth noting is that the flaw doesn’t work on Android devices, meaning Android remains safe from the vulnerability. Only Microsoft devices running Windows 10, Surface devices and Apple’s iOS and macOS devices are victims of the flaw.
How Android managed to avoid this exploit
Android devices broadcast their traffic in a completely different way. It scans for nearby advertising and there is no active or continuous tracking. This is why Android devices are immune to the vulnerability.
Is there a solution?
Researchers have listed ways via which the vulnerable devices could be protected. But all of them point towards synchronizing the changes in tracking information with the changing MAC address.
Meanwhile, switching Bluetooth on and off on iOS and macOS devices can serve as a temporary solution. Unfortunately, this workaround doesn’t work on Windows devices. For a more permanent solution, we will have to wait until manufacturers roll out a fix.