Widespread Vulnerability Identified in Phones and Bluetooth Devices

Approximately 40 percent of mobile phones may be uniquely identified via Bluetooth signals

3 min read
A blond woman in a red and black coat and jeans looks at her phone. The crowd and street around her are blurred.
Christoph Hetzmannseder/Getty Images


Apps that track the locations of phones have proven to be useful in so many ways. Apple's Find My app for finding a misplaced phone, for example, or for contact tracing COVID-19 transmissions during the pandemic. But a group of researchers at the University of California San Diego has discovered a troublesome feature of Bluetooth hardware that apps such as these rely on, which renders an estimated 40 percent of mobile devices uniquely identifiable. The findings, first reported in a story by the Register, will be presented at the IEEE Symposium on Security and Privacy in 2022.

"These applications require frequent and constant transmission of Bluetooth beacons to be detected by nearby devices," explains Nishant Bhaskar, a PhD student at the University of California San Diego who was involved in the research. "Unfortunately, this also means that an adversary can also find out where we are at all times by simply listening to the Bluetooth transmissions from our personal devices."

The vulnerability originates from defects or imperfections that occur during the manufacturing process. As a result, the Bluetooth signals from an individual device can be slightly distorted, creating a unique signature.

Bhaskar and his colleagues sought to explore whether these unique signatures could be used to identify individual devices in crowded areas, as well track the movement of individuals.

In their first experiment, they went to several public places, including a coffee shop, food court, and library, with an off-the-shelf receiver (costing less than US $200) that can "sniff" out Bluetooth signals. A single phone emits hundreds of short-range Bluetooth signals per second, making it relatively easy for a nearby sniffer to produce a "fingerprint" of a device quickly.

In total, they collected and analyzed Bluetooth signals from 162 mobile devices, and found that about 40 percent of devices were identifiable among a crowd based on their unique signal signatures. In a second experiment, the researchers placed a receiver at the exit of a large room and observed Bluetooth signals from more than 600 different mobile devices over the course of a single day, 47 percent of which were uniquely identifiable.

Animated gif shows blue dots appearing over time along with a smaller selection of red dots within a green circle labelled "Fingerprint Boundary"A sniffer is used to detect the Bluetooth packets of a specific device among a crowd, effectively tracking it.University of California San Diego

Notably, an ill-intentioned person who wants to track a specific individual would need to somehow determine which signature is linked to that person's device. In these initial experiments, the researchers simply looked to see how many unique signatures could be observed, without directly linking a device to a user. However, an attacker could theoretically go to multiple locations their target frequents, and blindly sniff out signatures at these sites until they identify one that registers multiple times.

Indeed, once a signature has been linked to a device, it's possible to track the movement of an individual. The researchers demonstrate this in a third experiment, where a volunteer's location was tracked as they entered and exited their home with tens of other Bluetooth devices around.

"Our results showed that the threat is real—the attack is practical and feasible," says Bhaskar. "Many mobile devices that we have seen have unique Bluetooth identities that make them particularly vulnerable to this tracking attack."

However, the "uniqueness" of each device depends on the manufacturing flaws, which will vary for every device.

"Some devices are distinguishable even among thousands of devices, others may be misidentified amongst tens of other devices," says Hadi Givehchian, a PhD student at the University of California San Diego who co-led this work. "That said, a device that has a distinct enough identity can be tracked effectively across wireless conditions."

Unfortunately, some devices still emit signals even when Bluetooth has been disabled. One effective—if impractical—solution is to power off the device completely. But there may be another option.

Givehchian and his colleagues are proposing that a random time-varying extra frequency offset could be added to devices, which would alter the signal frequency periodically and make it difficult for an attacker to distinguish the device's unique signature. In this scenario, the signal is altered just enough to thwart attackers, but not enough so to interfere with communications. "We are currently exploring defense mechanisms [like this] that Bluetooth device manufacturers can build into their devices to prevent similar attacks," says Givehchian.

Correction: On 9 Nov 2021, this story was updated to address its reported claims of the affected range of the present vulnerability (it is short-range only, which the original version of this article did not convey) and the nature of the vulnerability as well (it is not so much about “compromised" equipment posing a “security risk" as the original story reported but rather a matter of the performance of devices working entirely according to spec).

The Conversation (3)
Joshua Stern04 Nov, 2021
LM

Very interesting. Not sure if this even constitutes an "attack" as such, but it still may point to something that needs to be "fixed".

Rodolfo J Martinez III12 Nov, 2021
M

To me it is appalling that at this mature stage in communications technology we have consumer products starting radio transmissions without the expressed authorization of the user-owner.

Jason Wong08 Nov, 2021

Does the frequency hopping feature of Bluetooth make this kind of attack more difficult in practice? Assumes that the frequency hoping feature is applied of course.

The Inner Beauty of Basic Electronics

Open Circuits showcases the surprising complexity of passive components

5 min read
Vertical
A photo of a high-stability film resistor with the letters "MIS" in yellow.
All photos by Eric Schlaepfer & Windell H. Oskay
Blue

Eric Schlaepfer was trying to fix a broken piece of test equipment when he came across the cause of the problem—a troubled tantalum capacitor. The component had somehow shorted out, and he wanted to know why. So he polished it down for a look inside. He never found the source of the short, but he and his collaborator, Windell H. Oskay, discovered something even better: a breathtaking hidden world inside electronics. What followed were hours and hours of polishing, cleaning, and photography that resulted in Open Circuits: The Inner Beauty of Electronic Components (No Starch Press, 2022), an excerpt of which follows. As the authors write, everything about these components is deliberately designed to meet specific technical needs, but that design leads to “accidental beauty: the emergent aesthetics of things you were never expected to see.”

From a book that spans the wide world of electronics, what we at IEEE Spectrum found surprisingly compelling were the insides of things we don’t spend much time thinking about, passive components. Transistors, LEDs, and other semiconductors may be where the action is, but the simple physics of resistors, capacitors, and inductors have their own sort of splendor.

High-Stability Film Resistor

A photo of a high-stability film resistor with the letters "MIS" in yellow.

All photos by Eric Schlaepfer & Windell H. Oskay

This high-stability film resistor, about 4 millimeters in diameter, is made in much the same way as its inexpensive carbon-film cousin, but with exacting precision. A ceramic rod is coated with a fine layer of resistive film (thin metal, metal oxide, or carbon) and then a perfectly uniform helical groove is machined into the film.

Instead of coating the resistor with an epoxy, it’s hermetically sealed in a lustrous little glass envelope. This makes the resistor more robust, ideal for specialized cases such as precision reference instrumentation, where long-term stability of the resistor is critical. The glass envelope provides better isolation against moisture and other environmental changes than standard coatings like epoxy.

15-Turn Trimmer Potentiometer

A photo of a blue chip
A photo of a blue chip on a circuit board.

It takes 15 rotations of an adjustment screw to move a 15-turn trimmer potentiometer from one end of its resistive range to the other. Circuits that need to be adjusted with fine resolution control use this type of trimmer pot instead of the single-turn variety.

The resistive element in this trimmer is a strip of cermet—a composite of ceramic and metal—silk-screened on a white ceramic substrate. Screen-printed metal links each end of the strip to the connecting wires. It’s a flattened, linear version of the horseshoe-shaped resistive element in single-turn trimmers.

Turning the adjustment screw moves a plastic slider along a track. The wiper is a spring finger, a spring-loaded metal contact, attached to the slider. It makes contact between a metal strip and the selected point on the strip of resistive film.

Ceramic Disc Capacitor

A cutaway of a Ceramic Disc Capacitor
A photo of a Ceramic Disc Capacitor

Capacitors are fundamental electronic components that store energy in the form of static electricity. They’re used in countless ways, including for bulk energy storage, to smooth out electronic signals, and as computer memory cells. The simplest capacitor consists of two parallel metal plates with a gap between them, but capacitors can take many forms so long as there are two conductive surfaces, called electrodes, separated by an insulator.

A ceramic disc capacitor is a low-cost capacitor that is frequently found in appliances and toys. Its insulator is a ceramic disc, and its two parallel plates are extremely thin metal coatings that are evaporated or sputtered onto the disc’s outer surfaces. Connecting wires are attached using solder, and the whole assembly is dipped into a porous coating material that dries hard and protects the capacitor from damage.

Film Capacitor

An image of a cut away of a capacitor
A photo of a green capacitor.

Film capacitors are frequently found in high-quality audio equipment, such as headphone amplifiers, record players, graphic equalizers, and radio tuners. Their key feature is that the dielectric material is a plastic film, such as polyester or polypropylene.

The metal electrodes of this film capacitor are vacuum-deposited on the surfaces of long strips of plastic film. After the leads are attached, the films are rolled up and dipped into an epoxy that binds the assembly together. Then the completed assembly is dipped in a tough outer coating and marked with its value.

Other types of film capacitors are made by stacking flat layers of metallized plastic film, rather than rolling up layers of film.

Dipped Tantalum Capacitor

A photo of a cutaway of a Dipped Tantalum Capacitor

At the core of this capacitor is a porous pellet of tantalum metal. The pellet is made from tantalum powder and sintered, or compressed at a high temperature, into a dense, spongelike solid.

Just like a kitchen sponge, the resulting pellet has a high surface area per unit volume. The pellet is then anodized, creating an insulating oxide layer with an equally high surface area. This process packs a lot of capacitance into a compact device, using spongelike geometry rather than the stacked or rolled layers that most other capacitors use.

The device’s positive terminal, or anode, is connected directly to the tantalum metal. The negative terminal, or cathode, is formed by a thin layer of conductive manganese dioxide coating the pellet.

Axial Inductor

An image of a cutaway of a Axial Inductor
A photo of a collection of cut wires

Inductors are fundamental electronic components that store energy in the form of a magnetic field. They’re used, for example, in some types of power supplies to convert between voltages by alternately storing and releasing energy. This energy-efficient design helps maximize the battery life of cellphones and other portable electronics.

Inductors typically consist of a coil of insulated wire wrapped around a core of magnetic material like iron or ferrite, a ceramic filled with iron oxide. Current flowing around the core produces a magnetic field that acts as a sort of flywheel for current, smoothing out changes in the current as it flows through the inductor.

This axial inductor has a number of turns of varnished copper wire wrapped around a ferrite form and soldered to copper leads on its two ends. It has several layers of protection: a clear varnish over the windings, a light-green coating around the solder joints, and a striking green outer coating to protect the whole component and provide a surface for the colorful stripes that indicate its inductance value.

Power Supply Transformer

A photo of a collection of cut wires
A photo of a yellow element on a circuit board.

This transformer has multiple sets of windings and is used in a power supply to create multiple output AC voltages from a single AC input such as a wall outlet.

The small wires nearer the center are “high impedance” turns of magnet wire. These windings carry a higher voltage but a lower current. They’re protected by several layers of tape, a copper-foil electrostatic shield, and more tape.

The outer “low impedance” windings are made with thicker insulated wire and fewer turns. They handle a lower voltage but a higher current.

All of the windings are wrapped around a black plastic bobbin. Two pieces of ferrite ceramic are bonded together to form the magnetic core at the heart of the transformer.

This article appears in the February 2023 print issue.

{"imageShortcodeIds":[]}