Today, nearly everyone carries devices that wirelessly connect to devices and a multitude services, looking to make our life more convenient; more connected. To some, there’s a concern about carrying devices that essentially are a uniquely-identifiable tracking beacon, leaving digital traces as you move through the physical (and even virtual) world.
In the physical world, a “MAC Address” is a unique identifier for a device’s network communications. Bluetooth, as of Bluetooth 4.0, uses a method of periodically changing your device’s MAC address used for “advertising.” These advertising broadcasts announce to Bluetooth-capable devices that your device is present to pair with. This is how your phone automatically re-pairs with your car or headset when you’re within range. While traveling around, your device is sending out these announcement beacons, which are able to be detected by devices you pass near. If these listening devices are reporting back to a server, you could effectively be tracked. This is indeed a very lucrative market and is currently widely exploited by many services and locations, such as retail centers or even zoos.
With the randomization of MAC addresses in advertising beacons, branded Bluetooth LE Privacy, your device still needs to be able to be identified by devices you actually do want to pair with. To accomplish this, your device sends a bit of unique data along with your device’s randomized MAC Address in the advertising beacon. Obviously, with this data being also unique, it’s specified to allow the manufacturer to randomly change it as well, thus maintaining the anonymizing protections.
However, a group of scientists from Boston University [PDF], have found that even though Bluetooth LE randomizes MAC Addresses periodically, and the unique payload data string is randomized as well, they are randomized at different intervals. This opens up a device to be continuously tracked as long as the device remains in range of the network of sensors (such as the duration of a visit to a shopping mall that utilizes tracking devices), since the MAC or payload can interchangeably be used to link packets together.
How can we prevent being tracked now?
For Windows 10 devices, merely turning Bluetooth off and back on again does not regenerate the payload nor MAC Address used for advertising. However, if you go into Device Manager and disable the Bluetooth device itself and then re-enable it, it does cause both the payload and MAC Address to be regenerated, thus breaking the tracking chain.
In iOS and macOS, you can simply switch Bluetooth off and on in the System Settings and that will randomize the payload and MAC Address.
According to the paper, “We observed Android advertising addresses to change in intervals of about 15-45 minutes. However, the observed Android smartphones use a completely different advertising approach than Windows or iOS/macOS, making them immune to the address-carryover algorithm. The tested Android phones never send out manufacturer-specific data or other potentially device-identifying data in regular intervals. Instead the OS scans for advertisements of other devices when the Bluetooth settings are opened by the user. Due to the lack of active, continuous advertising, identifying tokens cannot be assembled, making the observed Android devices immune to the carry-over algorithm.”
For smartwatches, they collected limited data, but determined that the MAC Address of Fitbit smartwatches is randomized, but the payload is static and identical to all Fitbit devices of the same model. This makes it trackable if it’s the only Fitbit device in proximity, but not meaningful if there’s multiple devices near each other.
The scientists propose three recommendations to fix this flaw long-term:
Synchronize payload changes with address randomizations.
Implement address randomization for low-powered devices.
Implement reconnection addresses using Identity Resolving Keys (see Section 3.3 of their paper)
Until manufacturers implement a fix, and apparently only if you use Windows or iOS/macOS and are concerned about tracking, you can remember to utilize the workarounds to mitigate your tracking risk, or simply disable Bluetooth altogether when you don’t need it.