Low Energy Signals Make Phones and Wearables Easy to Track
May 28, 2015
on
on
Bluetooth LE enabled smartphones and wearables are easy to track and, consequently, so are the people using them, researchers of Context Information Security found. They built a scanning app to prove their point.
Everything has to be connected, that's the new normal. But the primary function of connectedness is sending and receiving data. Data that we may not want anyone who cares to sniff for it to know. We've had the internet around long enough to know that there is a price to pay for insecure data transfers. Such as, say, the email correspondence of entire countries being intercepted and stored.
You'd think the steady stream of reports of compromised systems and data breaches would amp up customer demand for secure systems and manufacturers scrambling to serve that market with security by design products. Especially when those products are being worn.
Not so much.
'It does seem like many manufacturers of wearable technology are keen to get their products to market as quickly as possible, with security sometimes tacked on as an afterthought', writes Scott Lester senior researcher at Context Information Security (CIS).
Lester and his colleagues researched Bluetooth Low Energy (BLE), a power-efficient version of the Bluetooth wireless technology used in smart phones, fitness trackers and other wearable devices. They discovered that despite the security measures available in the protocol, many devices are uniquely identifiable. Lester did an excellent write-up explaining the technology and its flawed implementations in detail on the CIS website.
The CIS team became interested in BLE when one of them brought an iBeacon to the office. iBeacon is a BLE device from Apple with a single function: broadcast its location to electronic devices in its vicinity by continuously transmitting a universally unique identifier. When a compatible device such as a smartphone picks up the transmit it triggers a location-based action such as sending an ad when passing a store.
Geo-based services have been around for a while but relied on WiFi or GPS. BLE enabled devices consume much less power and can run on a button-sized battery for extended periods of time. Location determination is also more precise when within range (about 100 meters).
But BLE's unceasing 'I am here' broadcast also makes for an excellent tracking method. Lester and colleagues found that the packets broadcasted often contained fields with identifiable information. Sometimes this information was limited to identifying the manufacturer or device class, but in other cases it was unique like the name the user has given to the device.
Another way to identify a BLE device is scanning for its MAC address, a unique identifier all network devices have. The BLE protocol has a LE Privacy feature that randomizes the MAC address to ensure untrusted devices cannot trace different MACs to the same physical device. LE Privacy could be the bulwark against people being tracked. However, the CIS team found this feature is disabled in most BLE devices.
Having gathered all that intel on BLE, Lester and co proceeded to build an smartphone app to scan for BLE devices: 'we added functionality to make it run as a background service, to store its data in a database, to log the logging of each device it sees, to export its database to the SD card, and to plot the location of the device on a Google Maps plugin', writes Lester. Which is a convoluted way of saying: we build a creepy tracking application.
They built it to serve as a warning:
'Whilst wearable technology and other applications are becoming increasingly popular, do many of the owners of these devices realize that they broadcast constantly?
'Scanning for these broadcasts is easy either with cheap hardware or with a smartphone. This allows us to identify and locate particular devices, which for devices such as fitness trackers that are designed to be worn all the time, means that we can identify and locate a person, to within a limited range.
'There are clear implications to privacy, just as there are ways that this technology could be exploited for social engineering and crime.'
Everything has to be connected, that's the new normal. But the primary function of connectedness is sending and receiving data. Data that we may not want anyone who cares to sniff for it to know. We've had the internet around long enough to know that there is a price to pay for insecure data transfers. Such as, say, the email correspondence of entire countries being intercepted and stored.
You'd think the steady stream of reports of compromised systems and data breaches would amp up customer demand for secure systems and manufacturers scrambling to serve that market with security by design products. Especially when those products are being worn.
Not so much.
Oh erm... security?
'It does seem like many manufacturers of wearable technology are keen to get their products to market as quickly as possible, with security sometimes tacked on as an afterthought', writes Scott Lester senior researcher at Context Information Security (CIS).
Lester and his colleagues researched Bluetooth Low Energy (BLE), a power-efficient version of the Bluetooth wireless technology used in smart phones, fitness trackers and other wearable devices. They discovered that despite the security measures available in the protocol, many devices are uniquely identifiable. Lester did an excellent write-up explaining the technology and its flawed implementations in detail on the CIS website.
The CIS team became interested in BLE when one of them brought an iBeacon to the office. iBeacon is a BLE device from Apple with a single function: broadcast its location to electronic devices in its vicinity by continuously transmitting a universally unique identifier. When a compatible device such as a smartphone picks up the transmit it triggers a location-based action such as sending an ad when passing a store.
Geo-based services have been around for a while but relied on WiFi or GPS. BLE enabled devices consume much less power and can run on a button-sized battery for extended periods of time. Location determination is also more precise when within range (about 100 meters).
I am here
But BLE's unceasing 'I am here' broadcast also makes for an excellent tracking method. Lester and colleagues found that the packets broadcasted often contained fields with identifiable information. Sometimes this information was limited to identifying the manufacturer or device class, but in other cases it was unique like the name the user has given to the device.
Another way to identify a BLE device is scanning for its MAC address, a unique identifier all network devices have. The BLE protocol has a LE Privacy feature that randomizes the MAC address to ensure untrusted devices cannot trace different MACs to the same physical device. LE Privacy could be the bulwark against people being tracked. However, the CIS team found this feature is disabled in most BLE devices.
Creepy
Having gathered all that intel on BLE, Lester and co proceeded to build an smartphone app to scan for BLE devices: 'we added functionality to make it run as a background service, to store its data in a database, to log the logging of each device it sees, to export its database to the SD card, and to plot the location of the device on a Google Maps plugin', writes Lester. Which is a convoluted way of saying: we build a creepy tracking application.
They built it to serve as a warning:
'Whilst wearable technology and other applications are becoming increasingly popular, do many of the owners of these devices realize that they broadcast constantly?
'Scanning for these broadcasts is easy either with cheap hardware or with a smartphone. This allows us to identify and locate particular devices, which for devices such as fitness trackers that are designed to be worn all the time, means that we can identify and locate a person, to within a limited range.
'There are clear implications to privacy, just as there are ways that this technology could be exploited for social engineering and crime.'
Read full article
Hide full article
Discussion (1 comment)