Bluetooth Flaw Allows Attackers to Indefinitely Track iPhones, iPads, Macs

Bluetooth menu iPhone

Recently discovered Bluetooth flaw potentially allows unscrupulous elements to track Apple devices including iPhones, iPads, Macs and Apple Watches. Apart from Apple devices, the flaw also affects Windows 10 and Fitbit wearables. However, Android devices remain unaffected by the flaw.

The finding is part of a research paper published by Johannes K. Becker and David Strobinski. The research paper is titled Tracking Anonymized Bluetooth Devices and details how the attacker can use the Bluetooth flaw to passively track a device.

The flaw lies in the way Bluetooth Low Energy is implemented.

Bluetooth Low Energy was first introduced in 2010 and is uses non-encrypted channels in order to be visible to nearby devices. Earlier, the protocol broadcasted permanent Bluetooth MAC addresses of devices. In later stages, BLE started using a mechanism which transmitted a randomized address that changes periodically instead of permanent MAC address.

Researchers have found a vulnerability that exploits the above-mentioned mechanism. As per researchers, the randomized address remains static for long enough to be used as secondary identifiers.

The address-carryover algorithm exploits the asynchronous nature of address and payload change and uses unchanged identifying tokens in the payload to trace a new incoming random address back to a known device. In doing so, the address-carryover algorithm neutralizes the goal of anonymity in broadcasting channels intended by frequent address randomization.”

Attackers can exploit the flaw by linking current random address to the next one and thus tracking the device within the range of Bluetooth signals. The researchers also laid out a solution to the issue.

To protect devices from address-carryover attacks, the researchers suggest device implementations should synchronize payload changes with MAC address randomizations.

With Bluetooth device adoption growing at a massive scale, they caution that “establishing tracking-resistant methods, especially on unencrypted communication channels, is of paramount importance.

Till the issue is fixed you can switch off your Bluetooth or restart the same to generate the new random address.

[via TNW]