tl;dr: Your phone gives off a Bluetooth signal that often times is unique due to variation in manufacture. A motivated attacker could isolate what your phone's pattern is (if it's unique enough) by following you to a few different locations and checking what pattern repeats.
This is a lot less powerful than I expected from the title but perhaps I'm not thinking big enough. A powerful adversary could set up sniffers all over the city and track the population, I guess, but I imagine the value of this method goes down the more phones that are being distinguished (variability among millions of phones probably means a lot of overlap, especially considering it doesn't seem that variation in signal is consistent).
>A powerful adversary could set up sniffers all over the city and track the population, I guess, but I imagine the value of this method goes down the more phones that are being distinguished (variability among millions of phones probably means a lot of overlap, especially considering it doesn't seem that variation in signal is consistent).
You may be able to achieve the same goal without exploiting this security weakness.
A few years back I built a "people counter" app - it was mostly a learning exercise to see what I could do with the Android Bluetooth API, but I was also curious to see how useful a signal Bluetooth might be in finding the least crowded car on a packed commuter train. After a week of testing it on the ride home I had data to suggest that it was. I also found that based on MAC addresses and device names I was among the same group of strangers most nights of the week. And this was despite MAC address randomization which IIRC was already implemented in iDevices.
An adage of computer security: Direct access to a
machine = no security. (paraphrased and grossly simplified here.)
I feel this extends to surveillance of this type: the threat seems much less important if it can only be conducted when access to the individual is already required.
Say we’ve followed some chap around and identified this issue with his phone or watch etc - and we can then keep tracking this chap on the proviso that we are nearby to confirm an ID, he has those items with him and we have our sensors ready and waiting.
If you’re not expecting it back they’ll wait until an exploit exists or copy it encrypted and wait. Example: I held a broken PS3 my friend and I promised I’d return him (he broke the Blu-ray, so he couldn’t play games) once a hack existed. Hack was released, and he copied the games he had onto the PS3 HDD. The encrypted disk will probably have (hardware) exploit eventually, or they’ll hold onto it until there’s a quantum crack.
“Hold onto it until there’s a quantum crack” is the same as it being secure. That’s far more secure than it being online, decrypted, and attached to the Internet like most phones and computers now.
I give an encrypted laptop/ machine and I want the other party to prove that having access to the device = no security and so they can read data out of it.
No if, no but: I give the machine, show me that having it=no security.
I think what is implied is that if an attacker has direct access to your machine and that you continue to use it they'll implant some kind of keylogger and get to your data this way.
Now if you don't get the laptop back, your data is as secure as the encryption implementation of your OS.
I'd bet it's secure enough against anything that is not the NSA / equivalent foreign agencies. Now would I bet against those big players? Certainly not.
> I'd bet it's secure enough against anything that is not the NSA / equivalent foreign agencies. Now would I bet against those big players? Certainly not.
Which is another shortcut that boils down to saying "nothing is secure".
I'm not saying nothing is secure, I'm saying that there's no way to be sure.
Even if the math is bulletproof, are you sure the software implementation is bulletproof too?
Even then, maybe there's something in your hardware that defeat the whole thing, who knows?
When the stakes are so high that this kind of agencies are trying to get your data, that would be a risky bet to assume they won't be able to crack your encrypted partition.
I'm pretty sure if you ask them nicely to give you a few of their old encrypted hard drives they wouldn't comply. Why not?
No, this reasoning doesn't convince me because it's still "but what if". Like when people keep on telling we just have to travel the stars to planet B and it's possible because maybe we'll pretty soon discover FTL.
> When the stakes are so high that this kind of agencies are trying to get your data, that would be a risky bet to assume they won't be able to crack your encrypted partition.
I do agree. Even if I knew the NSA was after me and I knew how to secure my laptop with custom Libreboot and other things I strongly believe the laptop should not be used to discuss matters or store data related to activities that got the agency on my back. I will do an humane error and compromise myself before they need to use strong tech against my laptop.
I think that's what (paraphrased and grossly simplified here.) means.
In most cases the adversary would choose to use their physical access at a time when you will use it again afterwards, so they could install a hardware keylogger. Cases where you will never use the machine again are more the exception than the rule.
It wouldn't be infeasible for the intelligence services to require
Intel to pre-install a keylogger into the ME of every unit sold to the
public. Should we assume adequate precautions on your part?
Never heard of it? On x86 he’s not wrong, Intel ME and AMD ST are enabled in mobo and Intel ME run another secret minix OS that bypasses all your security.
>The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off. This issue can be mitigated with deployment of a hardware device, which is able to disconnect mains power.
>The Intel ME is an attractive target for hackers, since it has top level access to all devices and completely bypasses the operating system. The Electronic Frontier Foundation has voiced concern about Intel ME and some security researchers have voiced concern that it is a backdoor.
> Intel's main competitor AMD has incorporated the equivalent AMD Secure Technology (formally called Platform Security Processor) in virtually all of its post-2013 CPUs.
You can buy boards with it disabled, some Dell devices have the option to disable it, some flashing can be done on mobos to clear ME unofficially, but assume everything has it unless you only otherwise.
It changes the scope from "access to device = no security" to "access to device by NSA people with a very specific set of skills and most likely some prep work = no security" and I won't fight it, it's right. Not possible for the random HN user though and it still means some very specific circumstances.
Circumstances that need someone to compromise my laptop at some point after it got out of the factory. From reading the Wikipedia article it's not clear ME leaves a backdoor or store user passwords or keys somewhere on the computer in case an NSA agent needs to access data.
I think my encrypted devices are safe, unless the NSA or a nation state wants its data.
Hmm. Seems you need to enable ME in my laptop BIOS.
Can it be easily done if the BIOS is locked down ?
And then what's the next step ? You start the laptop, give it an IP through MAC address on the router or direct Ethernet link, connect to ME but how do you get to the data off of the encrypted partition/OS ?
I assumed that every store has been doing this for years. One of the major complaints of iOS 13 (or maybe 12?) was that it by default it automatically enabled Bluetooth every morning even when you manually disabled it.
It only re-enables auto-joining devices every morning, it doesn't re-enable the BT radio if you disable it in settings. Bluetooth stays on after you hit the control center toggle because most consumers want that button to mean "don't connect to any BT audio devices", not "disable connection to my apple watch".
If you are sharing BT headphones between multiple devices this is horrible. I turn off BT on the device where I do not need the headphone to avoid BT connection confusion.
That’s only because you don’t use AirPods. And I don’t actually mean that snarkingly. I’m a truly lazy person, so I bought AirPods just because I knew they’d work and I wouldn’t have to fiddle with them. But reading these kinds of replies, especially in a tech savvy forum, makes me realize how valuable these little conveniences are
Would have been nicer of Apple to just contribute a generic improvement back to the Bluetooth Standard, instead of solving a problem by creating "AirPods Bluetooth" and split the market.
Using that course, Google went and made Google-custom enhancements to Bluetooth as well, to apply nearly the same improvements to the user experience as Apple did.
And now here we are, with a universal standard that should work across different products and industries, but for good user experience you now have to brand-match your Bluetooth devices...
Really sad to watch common standards die. With all its flaws aside, I wonder if anything like Bluetooth would even be possible to happen today...
Bluetoth as a standard ist pretty botched, sadly. If I understood correctly it is a bunch of only loosely related protocols between major versions. And implementations often seem to be lacking. At least my experience with BT is horrible and over time loaded with hate and anger.
Interesting to hear that Apple managed to solve the issues within their closed ecosystem. So at least a solution DOES exists. The world could be so much better!
Agree that it would be nice it thos solutions could penetrate the non-Apple world also.
Same here, I'm fairly certain that's a thing [1]. Anecdotally, I've started turning off wifi/Bluetooth in the parking lot before entering a big box store like Walmart, and it seems like I get less ads for stuff in the aisle of the store I walked down.
Ironically, this method of tracking is one of the conter-arguments I've heard to the "Facebook is recording my conversations" theory.
I don't know enough about it to understand how this attack is different than in-store phone tracking.
Did you disable it in the control panel or in settings? IIRC it used to temporarily disable it from control panel but permanently from regular settings.
It kind of astounds me that so many people are willing to use a product who's UI so blatently and unapologetically violates it's users consent. I would have immediately run for the hills.
Don’t care because it actually does what I want. I turn off Bluetooth or wifi usually because something isn’t working or I just want a quick way to disconnect from Bluetooth audio. I like that it turns it back on for me when I forget.
> I imagine the value of this method goes down the more phones that are being distinguished (variability among millions of phones probably means a lot of overlap
If you're building up profiles, wouldn't you build them up enough to be able to later disambiguate phones with identical signatures that got too close to each other? The devices are probably each going to more-or-less continue in their long-established habits after they part. I guess that adds a bit of irregular latency, because you'd often have to label some device/location pairs retrospectively.
I turn Bluetooth on (manually) when I get into my car and I turn it off when I leave. Same with WiFi and my house. That's because of battery and privacy. Sometimes I forget, it's more trouble than most people want to go through and it's feasible only because I don't have watches and headsets but it's worth it IMHO.
If you need to hack the physical layer of a protocol to identify a phone, you are doing something very wrong.
I guess any wireless channel will have the same vulnerability, but your phone already identifies itself on a huge variety of ways with much more standard interfaces.
By the way, you are already tracked countrywards. The only questions are if your phone operator is allowed to keep the data and whether it does.
I think your cynicism is fair. In fact I'd go further and say I already expect people are already tracked around cities (by skin colour, facial recognition, clothing, travel card (for public transport heavy cities). Any digital signals (WiFi, BT) are just going to be extensions of those systems rather than anything revolutionary new surveillance measures.
Do you really or is your phone lying to you? IIRC both iOS and Android still responded to beacons on some versions, even with Bluetooth set to "off" in the settings.
Why use sniffers when all you need is to get people to download some app on their phone that allows access to the bluetooth stack and then phone home the results? That way other phones will act as the receivers and finger printers without having to install anything at all. The phones fingerprint each other.
Right, so we are to believe that Apple went through all of the trouble to randomize the MAC address, only to broadcast the literally hundreds of SSIDs I have stored over the years. And waste battery life doing so.
And why? It isn’t necessary, the access points broadcast their SSID so you just need to listen to the radio to know what’s around you.
I have looked for information on this but not found it. If this issue really exists, please provide a link to a description.
For sure a much higher risk of being tracked than the imaginary risk of being tracked by microchips in Covid-19 vaccines, that many anti-vaxxers fear so much.
And yet they keep using their phones to spread lies and hate on Facebook.
On a meta note, I'm getting more and more agitated by these blatantly false, hyped up titles by respectable outlets. I hope that one day we as a society will frown upon this practice so much that all but the most tabloidy writters would be ashamed to use it.
Perhaps we on HN need to start
this by changing such submission titles, or marking them as misleading. There's a bit of this already in the form of comments. I've made a habit of checking them out before even clicking the article for this exact reason.
Frankly, I saw ieee.org and I decided to click to the comments first rather than the article, because IEEE is unfortunately not trustworthy or respectable.
I probably would have clicked through if it was krebsonsecurity or some other security research team's blog.
What a world we are living in. IEEE isn't trustworthy (and I agree), while some personal love projects are (I also agree here).
IEEE used to be the accountability termination for an entire set of professions. Or, well, they still are. They are on the position where they just can't be wrong. They shouldn't wander on low-credibility activities.
Using bluetooth to track devices? How is this news.
Commercial tools have been available to do just this for a decade. Cities commonly use bluetooth sniffers to gather LAPs from passing cars to estimate travel times and detect traffic jams. I'd bet good money that the device used in this article was an ubertooth, a basic tool that I have had in my wifi tricks box for nearly ten years. Such basic sniffers are integrated into any many of commercial solutions. If you are running with your bluetooth system powered on you have effectively opted into every such system.
"Our advanced queue warning systems use Bluetooth and WiFi to collect information from and about vehicles. If it’s taking longer than normal for vehicles to travel a certain distance, you can alert drivers to change their plans."
But this isn’t that. That kind of “collect BT MACs” is old news yes. This tracks BT _antennas_ independent of the data that is send out. This basically makes any kind of annonymisation impossible (given sufficiently sensitive equipment sufficiently widely distributed etc).
I wouldn’t think that it is a massive problem as most of the “I want to know how fast people move” level of information is simply independent of being able to actually identify the specific person. But maybe I’m underestimating the willingness to grab data or overestimating how sensitive the equipment needs to be to be reliable
I mean, no shit? That's why you turn off Bluetooth when not using it. And wifi too. You don't want your phone broadcasting its presence to every device listening in the vicinity.
Doesn't that mean that all the MAC address rotation that's been added to WiFi and Bluetooth devices achieved a lot less? It raises the difficulty a bit (you probably need a SDR vs any Bluetooth device) and may have already been known but it should still be mitigated.
If the Apple AirTag things are as affected that could be a huge problem.
Frequency and IQ mismatch aren't likely to be stable across time and temperature enough to put in a database and use the next day, and certainly aren't going to be anywhere near unique enough to track everyone, everywhere.
It's not quite clickbait... it's interesting research.
You should definitely use randomized MAC addresses though.. that helps a lot.
This is more of a side-channel sort of thing. I'm honestly not too concerned.
> However, an attackers ability to track a particular target is essentially a matter of luck.
That being said, their proposed solution seems elegant enough:
> a random time-varying extra frequency offset could be added to devices, which would alter the signal frequency periodically and make it difficult for an attacker to distinguish the device's unique signature
doesn't this disrupt normal bluetooth communication? for BT to work, the central and peripheral have to agree to a frequency hopping sequence and a time interval.
I was sitting the office in the early days of the pandemic when my phone suddenly buzzed. "Allison's iPhone is trying to connect to your device." I rejected the request because I had no idea who Allison was. A minute later, I hear someone at the door. I was alone in the office, so I introduced myself, and asked if she had tried to connect to a Bluetooth device. She had not touched her phone at all.
This gave me an idea, I scanned for nearby Bluetooth devices while walking in the office. Turns out, there were lots of people in the building each thinking they were alone.
Just for fun, I set up a raspberry pi that constantly track Bluetooth near by and record their mac address. Every time a new device shows up, it pings me. And when they disappear it also tells me.
Everyone has Bluetooth turned on now because of wireless earbuds. You can easily track people like that.
Huh, privacy side channel exploiting differences in Bluetooth signals, letting some phones be tracked. Not earth shattering but interesting I guess.
The language in the article is a bit loose. Says 40% of phones are compromised, when they mean 40% of phones may be trackable. This doesn't compromise the phone. It might compromise the owners location.
What about MAC addresses that are usually permanent? Are they not available without pairing?
The a lot of cities in my country already have WiFi access points on almost every street crossroads, making it trivial to implement WiFi MAC tracking surveillance. Apart from that, we also recently received APs on trains and one might argue they are used for statistics of train passengers.
Does anyone know of any proven IRL example of this?
Ethernet and wifi MAC addresses are not permanent.
On linux machines you've been able to change ethernet mac addresses for something like two decades. MacOS X has easily accessed MAC address configuration, also been possible for many many years. Ditto for wifi cards.
iOS 14 and above uses a randomized wifi mac address on a network unless you specifically turn it off. iOS 8 or 9 introduced MAC address randomization for broadcast stuff like network probes.
Android 10 does the same (it was available in 9 under dev options.)
For Bluetooth, it sounds like BTLE allows for some forms of mac address randomization that was intended to improve privacy, but it's been defeated: https://9to5mac.com/2019/07/18/bluetooth-flaw/
Bluetooth smart watches, headphones, car audio, sports sensors (heartrate, running gait sensors) have made it completely trivial to track someone's whereabouts. Assume that almost any major retailer has long since associated MAC addresses with a customer profile on you. There's a reason Amazon makes it impossible to use Prime at Whole Foods without your cell phone running the app or having the website up with a live connection; the QR codes are valid for barely a few minutes.
The real MAC address only reveals itself when connected to WiFi, so yes only to paired APs. The WiFi access points will get the data but on the street they’re randomized. Looks like iOS 14 and up changes the WiFi MAC per AP
> iOS 14, iPadOS 14, and watchOS 7 introduce a new Wi-Fi privacy feature: When an iPhone, iPad, iPod touch, or Apple Watch connects to a Wi-Fi network, it identifies itself with a unique (random) MAC address per network.
Huh? Bluetooth seems the most inefficient possible way to track a phone. The cellular radio has much more interesting info, and there are so many apps that leak location data that it hardly seems worth the trouble.
How long until this gets exploited for surveillance capitalism? Unfortunately I doubt much effort to defeat this form of fingerprinting will happen until it is already being abused.
Edit: Upon reading the cited paper, the final sentence in the conclusion states that being able to track a target is "essentially a matter of luck", so that's somewhat relieving.
well not really, all that means is that the surveillance company would need to augment the dataset with other features to get an accurate result. Also, I doubt they actually care about tracking you on a minute to minute basis. Knowing that you went to the pet store with 30% certainty, 4 times this year, is enough to pin you as a pet owner and send you pet-related ads. the same applies for an oppressive government. knowing that you went to a protest 5 times this month, with 30% certainly, is enough for you to get sent to a reeducation camp, or at least send some officers to surveil you and catch you in the act.
Your credit card company knows all your purchases and your legal name, combined with what the ISP knows about your web browsing and google maps/cell provider with all your consistent location data, they have a very strong profile already not even including social media. This is small and irrelevant against way more advanced profiles they make with troves of your user data.
I hate that Apple forces bluetooth and wifi on each day. I wish I could just turn it off and leave it off. Though the article did mention some phones still emit a distinct signal even with the bluetooth off. This is why I am still considering jailbreaking. I have not done it in a while but every once in a while am reminded that Apple really wants to lock down this device I bought. I would like to just have my phone do what I want. If I was jailbroken I could use RealCC and turn wifi and bluetooth off permanently not just for 24 hours.
It isn’t silly at all, if you consider most people don’t care about the internal state of some radio, but are opening the quick toggle menu for the purpose of connecting/disconnecting to specific networks. It is more mentally consistent if you realize they swapped the on/off button in the quick access menu for a more useful button: the network selector (long press to access it). Both functions are still present in the full settings as always.
Dear Apple, can we please have headphone jacks back on at least one model? High-quality wired headphones can create a business incentive for headphone jacks.
Bonus points for a physical switch to disable all radios (Bluetooth, UWB, Wi-Fi, cellular).
They're never coming back, and they don't care about it or your opinion; you aren't the customer they are interested in and sales are even better than before.
>High-quality wired headphones can create a business incentive for headphone jacks.
Why do you think they removed it? They made it to sell more expensive BT headphones; they made a lot more money after removing the headphone jack. You can't even disable wireless in the control center so why would they want to make a physical switch?
> They made it to sell more expensive BT headphones
There's some crazy-expensive wired headphones out there, which don't stop anyone from buying pricy BT headphones. If they want to maximize rent-seeking, create a new proprietary wired port.
> why would they want to make a physical switch?
Charge a premium for a new tier of phone? Reclaim some credibility lost from the push for on-device content scanning?
Apple Touch Bars were once inevitable, but are now gone. Touch ID, functional keyboards and Mag Safe have returned. Framework is shipping a well-received laptop with modular ports. GPD Pocket 3 has an HDMI input port which would be welcome on an iPad Pro. Former leaders of the Apple Silicon team are now at Qualcomm-ex-Nuvia and will influence future PC OEM Arm laptop designs. Never say never.
>There's some crazy-expensive wired headphones out there, which don't stop anyone from buying pricy BT headphones. If they want to maximize rent-seeking, create a new proprietary wired port.
Because they needed BT to work on the new phones. By that logic, the lightning connector are wired headphones you want that already exist.
>Charge a premium for a new tier of phone? Reclaim some credibility lost from the push for on-device content scanning?
Who decides its premium? If people cared, they'd make a bigger deal about the control center not disabling the radios, nobody they are selling to cares. Where is the evidence it will be a selling point or give any credibility against on device scanning? I have never heard anyone who wants a new iPhone care about that, and they have never retracted their iPhone changes. The average person buying an iPhone will care more about the camera megapixels than any of these features.
As phones move from entertainment devices to digital identity and currency wallets, on-device signals can (e.g. physical proximity/presence data is purchased from adtech companies by U.S. IRS/Treasury) have real-life consequences. Add unpredictable governments to interoperable phone finance/health/travel credentials and there's a lot of potential for sudden education on previously-invisible phone behaviors.
This is a lot less powerful than I expected from the title but perhaps I'm not thinking big enough. A powerful adversary could set up sniffers all over the city and track the population, I guess, but I imagine the value of this method goes down the more phones that are being distinguished (variability among millions of phones probably means a lot of overlap, especially considering it doesn't seem that variation in signal is consistent).