Bluetooth Signals Can Be Fingerprinted to Track Mobile Devices, according to researchers

University of California San Diego academics have discovered for the first time that Bluetooth signals can be fingerprinted so that smartphones can be tracked (and therefore, individuals).

At its core, the identification is based on manufacturing flaws in Bluetooth chipset hardware, which result in a “physical-layer fingerprint.”

As the researchers explain in their paper, “Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices,” an attacker attempting a physical-layer fingerprinting attack needs a Software Defined Radio sniffer, which is a radio receiver capable of recording raw IQ radio signals.

BLE beacons, which are constantly transmitted by modern devices, allow the attack to take place because of their widespread use in public health emergencies, such as contact tracing.

Bluetooth is subjected to the same set of metrics as Wi-Fi devices, which can be used to uniquely fingerprint it, due to the fact that both Wi-Fi and BLE components are often integrated together into a specialised “combo chip,” causing hardware defects.

The Mahalanobis distance is used to calculate “how close the features of the new packet” are to the previously recorded hardware imperfection fingerprint when fingerprinting and tracking a device.

BLE devices have temporary identifiers in their packets (i.e., MAC addresses), which means that “we can identify a device based on the average over multiple packets, increasing identification accuracy,” the researchers stated.

The ability to uniquely identify a device depends on the BLE chipset used as well as the chipsets of other devices that are physically close to the target, so executing such an attack in an adversarial setting is difficult.

Temperature, differences in BLE transmit power between iPhone and Android devices, and the quality of the sniffer radio used by the malicious actor to perform fingerprinting attacks all have a significant impact on the results of the attacks.

For example, in a coffee shop, “we found that certain devices have unique fingerprints and therefore are particularly vulnerable to tracking attacks,” the researchers said. “Others have common fingerprints, they will often be mistaken for the same device,” the researchers added.

“It is true that BLE can be used to track mobile devices’ locations. However, the ability of an attacker to locate a specific target is largely dependent on chance.”


Leave a Comment