Skip links

Hardware flaws give Bluetooth chipsets unique fingerprints that can be tracked

Researchers at the University of California San Diego have shown for the first time that Bluetooth signals each have an individual, trackable, fingerprint.

In a paper presented at the IEEE Security and Privacy Conference last month, the researchers wrote that Bluetooth signals can also be tracked, given the right tools.

However, there are technological and expertise hurdles that a miscreant would have to clear today to track a person through the Bluetooth signals in their devices, they wrote.

“By their nature, BLE [Bluetooth Low Energy] wireless tracking beacons have the potential to introduce significant privacy risks,” the researchers wrote. “For example, an adversary might stalk a user by placing BLE receivers near locations they might visit and then record the presence of the user’s beacons.”

The researchers – who hail from the school’s departments of Computer Science and Engineering and Electrical and Computer Engineering – pointed to the applications governments added to Apple iOS and Android devices used in the COVID-19 pandemic that send out constant Bluetooth signals – or beacons – for contact-tracing efforts.

Other examples include the BLE beaconing that Microsoft and Apple added to their operating systems for such features as tracking lost devices, connecting smartphones to such wireless devices like wireless earphones or speakers, and enabling users to switch more seamlessly between devices.

“Therefore, BLE beacons are now common on many mobile platforms, including: phones, laptops, and smartwatches,” they wrote.

According to the paper, these devices constantly transmit signals at a rate of around 500 beacon signals per minute. To address issues of security and privacy, many BLE proximity applications use such measures as cryptographically anonymizing and periodically rotating the identity of a mobile device in their beacons. They will routinely re-encrypt the MAC address of the device, while the COVID-19 applications rotate identifiers so receivers can’t link beacons from the same device.

That said, a person could get past these barriers by fingerprinting the device at a lower layer, according to the researchers. Previous studies have shown that wireless transmitters, in Wi-Fi for instance, have small imperfections accidentally introduced during manufacturing that are unique to each device.

The UC San Diego scientists found that similar imperfections in Bluetooth transmitters create distortions that can be used to create a similar unique fingerprint. The fingerprints can be used to track devices and, thus, their users.

That said, it’s not an easy process.

An attacker would first need to isolate the target to capture the fingerprint in the wireless transmissions and find the unique physical-layer features of the device’s Bluetooth transmitter. After that, they would need to have a receiver in a place the device might be and have it passively sniff for the target’s Bluetooth transmissions.

“They will know when the target device is near the receiver when it captures one or more packets that matches the target’s physical layer fingerprint,” the researchers wrote.

“The more frequently the BLE device transmits, the more likely the attacker is to receive a transmission if a user passes by. Also, the more accurate the fingerprinting technique is, the better the attacker can differentiate the target from other nearby devices.”

To do all this, the attacker needs to have a radio receiver that can record raw radio signals. The researchers warned that a hobbyist device in the $150 price range could do the job.

In addition, the researchers had to create an algorithm for the work. Wi-Fi signals have a long and known sequence called the “preamble” – but those for Bluetooth are very short.

The algorithm skips the Bluetooth preamble and instead estimates two different values in the entire signal. This is where the defects can be found and the unique fingerprint identified.

The researchers developed a fingerprinting toolkit and associated methodology they used to assess how many mobile devices could be identified in public areas like coffee shops and public hallways. One test found that 40 percent of 162 devices detected were identifiable via their unique fingerprints; in another experiment 47 percent of 647 mobile devices could be identified.

In another test, they tracked a volunteer who had an iPhone as they walked in and out of their home over an hour-long period. Simulating an attack, they were able to track the person during most of that time.

However, anyone trying to track a person via their mobile device’s Bluetooth signals will run into challenges. Among them are that Bluetooth devices have varying chipsets that all have different hardware implementations, and some devices have less powerful Bluetooth transmissions than others. In addition, temperature can affect the Bluetooth fingerprint. The researchers also noted that an attacker would need a certain level of technological expertise to pull this off.

Devices “may be similar to other devices of the same make and model. Or, they may not even have certain identifying features if they are developed with low power radio architectures,” they wrote.

“By evaluating the practicality of this attack in the field, particularly in busy settings such as coffee shops, we found that certain devices have unique fingerprints, and therefore are particularly vulnerable to tracking attacks. Others have common fingerprints – they will often be misidentified.”

The upshot is that mobile devices can be tracked via their Bluetooth signals, and the equipment necessary isn’t overly expensive. “However, an attacker’s ability to track a particular target is essentially a matter of luck,” the researchers wrote. ®