A group of researchers from the University of California at San Diego has developed a method to identify mobile devices through the signs andsent over the air via Bluetooth Low Energy (CORN) and used by passive Bluetooth receivers to detect when new devices are in range.
Depending on the implementation, beacon signals are sent at a rate of approximately 500 times per minute and, as intended by the creators of the standard, are completely anonymized and cannot be used to link a user.
"This is important because in today's world Bluetooth poses a more significant threat as it is a frequent and constant wireless signal emitted from all of our personal mobile devices," said Nishant Bhaskar, Ph.D. student in the UC San Diego Department of Computer Science and Engineering and one of the paper's lead authors.
In reality, the situation turned out to be different, and when it is sent, the signal is distorted under the influence of features that arise during the production of each individual chip. These distortions, which are unique and constant for each device, can be detected using typical programmable transceivers (SDR, Software Defined Radio).
The problem manifests itself in combo chips that combine Wi-Fi and Bluetooth functionality, they use a common master oscillator and several analog components operating in parallel, whose fluctuations in output lead to asymmetry in phase and amplitude. The total cost of the strike team is estimated to be approximately $200. Code samples for extracting unique labels from an intercepted signal are posted on GitHub.
“The short duration gives an inaccurate fingerprint, making previous techniques useless for Bluetooth tracking,” said Hadi Givehchian, also a Ph.D. in computer science from UC San Diego. student and main author of the article.
In practice, the characteristic identified allows the device to be identified, regardless of the use of such means of protection against identification, such as MAC address randomization. For iPhone, the tag reception range, sufficient for identification, was 7 meters, with the COVID-19 contact tracing app active. For Android devices, greater proximity is required for identification.
Several experiments were carried out to confirm the work of the method in practice in public places such as coffee shops.
During the first experiment, 162 devices were analyzed, of which 40% were able to generate unique identifiers. In the second experiment, 647 mobile devices were studied and unique identifiers were generated for 47% of them. In conclusion, the possibility of using the generated identifiers to track the movement of the devices of the volunteers who agreed to participate in the experiment was demonstrated.
The researchers are also exploring whether the method they developed could be applied to other types of devices.
All forms of communication today are wireless and at risk,” said Dinesh Bharadia, a professor in the UC San Diego Department of Electrical and Computer Engineering and one of the paper's lead authors. "We are working to build hardware-level defenses against potential attacks."
The researchers noted that simply disabling Bluetooth doesn't necessarily stop all phones from emitting Bluetooth beacons.
For example, beacons are still emitted when turning off Bluetooth from Control Center on the Home screen of some Apple devices. “As far as we know, the only thing that definitely stops Bluetooth beacons is turning off your phone”
The researchers also noted several problems that make identification difficult. For example, the beacon's signal parameters are affected by changes in temperature, and the tag's receiving distance is affected by changes in the applied Bluetooth signal strength on some devices.
To block the method of identification in question, it is proposed to filter the signal at the firmware level to the Bluetooth chip or use special hardware protection methods. Disabling Bluetooth is not always enough, as some devices (such as Apple smartphones) continue to send signals even when Bluetooth is turned off, requiring the device to be turned off completely to block sending.
Finally If you are interested in knowing more about it, you can check the details in the following link