Widespread Vulnerability Identified in Phones and Bluetooth Devices

Approximately 40 percent of mobile phones may be uniquely identified via Bluetooth signals

3 min read

A blond woman in a red and black coat and jeans looks at her phone. The crowd and street around her are blurred.
Christoph Hetzmannseder/Getty Images

Apps that track the locations of phones have proven to be useful in so many ways. Apple's Find My app for finding a misplaced phone, for example, or for contact tracing COVID-19 transmissions during the pandemic. But a group of researchers at the University of California San Diego has discovered a troublesome feature of Bluetooth hardware that apps such as these rely on, which renders an estimated 40 percent of mobile devices uniquely identifiable. The findings, first reported in a story by the Register, will be presented at the IEEE Symposium on Security and Privacy in 2022.

"These applications require frequent and constant transmission of Bluetooth beacons to be detected by nearby devices," explains Nishant Bhaskar, a PhD student at the University of California San Diego who was involved in the research. "Unfortunately, this also means that an adversary can also find out where we are at all times by simply listening to the Bluetooth transmissions from our personal devices."

The vulnerability originates from defects or imperfections that occur during the manufacturing process. As a result, the Bluetooth signals from an individual device can be slightly distorted, creating a unique signature.

Bhaskar and his colleagues sought to explore whether these unique signatures could be used to identify individual devices in crowded areas, as well track the movement of individuals.

In their first experiment, they went to several public places, including a coffee shop, food court, and library, with an off-the-shelf receiver (costing less than US $200) that can "sniff" out Bluetooth signals. A single phone emits hundreds of short-range Bluetooth signals per second, making it relatively easy for a nearby sniffer to produce a "fingerprint" of a device quickly.

In total, they collected and analyzed Bluetooth signals from 162 mobile devices, and found that about 40 percent of devices were identifiable among a crowd based on their unique signal signatures. In a second experiment, the researchers placed a receiver at the exit of a large room and observed Bluetooth signals from more than 600 different mobile devices over the course of a single day, 47 percent of which were uniquely identifiable.

Animated gif shows blue dots appearing over time along with a smaller selection of red dots within a green circle labelled "Fingerprint Boundary"A sniffer is used to detect the Bluetooth packets of a specific device among a crowd, effectively tracking it.University of California San Diego

Notably, an ill-intentioned person who wants to track a specific individual would need to somehow determine which signature is linked to that person's device. In these initial experiments, the researchers simply looked to see how many unique signatures could be observed, without directly linking a device to a user. However, an attacker could theoretically go to multiple locations their target frequents, and blindly sniff out signatures at these sites until they identify one that registers multiple times.

Indeed, once a signature has been linked to a device, it's possible to track the movement of an individual. The researchers demonstrate this in a third experiment, where a volunteer's location was tracked as they entered and exited their home with tens of other Bluetooth devices around.

"Our results showed that the threat is real—the attack is practical and feasible," says Bhaskar. "Many mobile devices that we have seen have unique Bluetooth identities that make them particularly vulnerable to this tracking attack."

However, the "uniqueness" of each device depends on the manufacturing flaws, which will vary for every device.

"Some devices are distinguishable even among thousands of devices, others may be misidentified amongst tens of other devices," says Hadi Givehchian, a PhD student at the University of California San Diego who co-led this work. "That said, a device that has a distinct enough identity can be tracked effectively across wireless conditions."

Unfortunately, some devices still emit signals even when Bluetooth has been disabled. One effective—if impractical—solution is to power off the device completely. But there may be another option.

Givehchian and his colleagues are proposing that a random time-varying extra frequency offset could be added to devices, which would alter the signal frequency periodically and make it difficult for an attacker to distinguish the device's unique signature. In this scenario, the signal is altered just enough to thwart attackers, but not enough so to interfere with communications. "We are currently exploring defense mechanisms [like this] that Bluetooth device manufacturers can build into their devices to prevent similar attacks," says Givehchian.

Correction: On 9 Nov 2021, this story was updated to address its reported claims of the affected range of the present vulnerability (it is short-range only, which the original version of this article did not convey) and the nature of the vulnerability as well (it is not so much about “compromised" equipment posing a “security risk" as the original story reported but rather a matter of the performance of devices working entirely according to spec).

The Conversation (3)
Rodolfo J Martinez III
Rodolfo J Martinez III12 Nov, 2021

To me it is appalling that at this mature stage in communications technology we have consumer products starting radio transmissions without the expressed authorization of the user-owner.

Jason Wong
Jason Wong08 Nov, 2021

Does the frequency hopping feature of Bluetooth make this kind of attack more difficult in practice? Assumes that the frequency hoping feature is applied of course.

Joshua Stern
Joshua Stern04 Nov, 2021

Very interesting. Not sure if this even constitutes an "attack" as such, but it still may point to something that needs to be "fixed".