A Multi-Layer Randomization Firmware Shows Promise in Protecting Against BLE Tracking Attacks
Having discovered a trackable vulnerability in Bluetooth devices two years ago, the same research team has now figured out how to fix it.
Researchers from the University of California San Diego (UC San Diego) have come up with a way to prevent Bluetooth Low Energy (BLE) devices from being tracked — and it could be implemented with a simple firmware update.
"We assumed the strongest possible attack, a nation-state type of attacker that would know which algorithm we are using. They still failed," claims co-author Aaron Schulman of the team's mitigation for a vulnerability they themselves discovered two years ago: the fact that it's possible to uniquely identify a device based on manufacturing tolerances and other imperfections, even when the device is set to automatically generate random MAC addresses.
The team's paper on the original vulnerability warned that "many popular devices are essentially operating as tracking beacons for their uses" and that "BLE does present a location tracking threat for mobile devices," even if an attacker's ability to select one individual target from many "is essentially a matter of luck."
The researchers' latest paper solves that problem, adding additional layers of randomization that go beyond simple changing the device's MAC address. Tested using a Texas Instruments CC2640 chip, the system proved highly effective: to achieve the same tracking accuracy as with an unmodified device, it would take an attacker more than 10 days of continuous observation — compared to just one minute for the stock firmware.
"This means that the fingerprints are no longer useful for the attacker to infer the identity of the device," says co-author Dinesh Bharadia, a professor in the UC San Diego Department of Electrical and Computer Engineering, "and the optimal attacker can barely do better than a random guess. You can't track the phone’s fingerprint even if you’re sitting right next to it, because both MAC and PHY identities keep changing."
"This defense can be rolled out incrementally, requiring only software modification on at least one widely-used Bluetooth Low Energy chipset," explains first author Hadi Givehchian. "But in order to deploy this defense widely, we need to partner with Bluetooth chip manufacturers."
The team's work has been presented at the 2024 IEEE Symposium on Security and Privacy (SP); a preprint is available from UC San Diego.