A new study conducted by a group of academics from the University of California at San Diego has revealed for the first time that Bluetooth signals can be faked to track smartphones (and therefore individuals).
The identification essentially depends on imperfections in the Bluetooth chipset hardware introduced during the manufacturing process, resulting in a “unique physical layer fingerprint”.
“To perform a physical low-fingerprint attack, the attacker must be equipped with a Software Defined Radio sniffer: a radio receiver that can pick up raw IQ radio signals,” the researchers said. said in a new paper titled “Evaluating Physical Layer BLE Location Tracking Attacks on Mobile Devices.”
The attack is made possible by the ubiquitous nature of Bluetooth Low Energy (BLE) beacons that are continuously transmitted by modern devices to enable critical functions such as tracing contact during public health emergencies.
The hardware failures, on the other hand, stem from the fact that both Wi-Fi and BLE components are often integrated together in a specialized “combo chip”, effectively subjecting Bluetooth to the same set of metrics that can be used to uniquely identify Wi-Fi. Fi fingerprints. -Fi devices: carrier frequency offset and IQ Imbalance†
Fingerprinting and device tracking then involves extracting CFO and I/Q imperfections for each packet by the Mahalanobis distance to determine “how close the characteristics of the new package” are to the previously registered fingerprint of hardware imperfection.
Also because BLE devices have temporary stable identifiers in their packets [i.e., MAC address]we can identify a device based on the multi-packet average, increasing identification accuracy,” the researchers said.
That said, there are several challenges to launching such an attack in a hostile environment, the main one being that the ability to uniquely identify a device depends on the BLE chipset and chipsets used. from other devices that are physically close to the target.
Other critical factors that can affect the readings include the temperature of the device, differences in BLE transmit power between iPhone and Android devices, and the quality of the sniffer radio used by the malicious actor to run the fingerprints.
“By evaluating the usability of this attack in the field, particularly in crowded environments such as coffee shops, we found that certain devices have unique fingerprints and are therefore particularly vulnerable to tracking attacks, others have common fingerprints, they will often be misidentified.” ,’ the researchers conclude.
“BLE poses a threat to location tracking for mobile devices. However, an attacker’s ability to track a particular target is essentially a matter of luck.”