A security vulnerability in Bluetooth protocol can allow attackers to identify Apple and Microsoft devices, at least according to new research from Boston University. Device affect include Macs, iPhones, iPads, and Apple Watches, as well as Microsoft tablets and laptops. At this time, Android devices do not appear to be affected.
A Message From Our Sponsor:
The research paper points out that Bluetooth devices use public channels to announce their presence to other devices. Most devices broadcast a randomized address that changes every-so-often, unlike a MAC (Media Access Control) address. The researchers have found that it is possible to extract identifying tokens, which could be used to track a device even after the address changes by using address-carryover algorithm.
“We present an online algorithm called the address-carryover algorithm, which exploits the facts that identifying tokens and the random address do not change in sync, to continuously track a device despite implementing anonymization measures. To our knowledge, this approach affects all Windows 10, iOS, and macOS devices.
The algorithm does not require message decryption or breaking Bluetooth security in any way, as it is based entirely on public, unencrypted advertising traffic.”
The research paper explains a tracking method that could allow for an identity-exposing attack and allows for a “permanent, non-continuous tracking” attack, as well as a iOS side-channel allowing “insights into user activity”.
The research paper contains many recommendations on how to stop attacks that use this method and since Apple is often quick to patch security issues, we may see a fix for this problem soon.
The research paper explains a tracking method that could allow for an identity-exposing attack and allows for a “permanent, non-continuous tracking” attack, as well as a iOS side-channel allowing “insights into user activity”.
The research paper contains many recommendations on how to stop attacks that use this method and since Apple is often quick to patch security issues, we may see a fix for this problem soon.