In 2022, for the first time, researchers at the University of California at San Diego (UCSD) described how to identify the unique “fingerprint” of any Bluetooth-equipped device by tracking hardware imperfections using an inexpensive software-defined radio.
Since then, the UCSD researchers have been working toward a solution to what is described as the fingerprint identification vulnerability. In the meantime, stalkers, suspicious spouses, spies, government agencies, and run-of-the-mill curious hackers have been able to track smartphones—and any other device using Bluetooth—without the users’ knowledge (potentially amassing a dark database of known users).
Now, in 2024, the UCSD research team has finally devised a complex obfuscation technique to foil the Bluetooth “user tracking” vulnerability. Despite its complexity (which is why it took two years to develop, debug, and test), the new method is nevertheless easy for Bluetooth chip set manufacturers to implement via a simple firmware update.
“Tracking Bluetooth devices has been a problem for privacy for quite some time, especially since the Covid contact system began using it to track the spread of the virus,” explained Northeastern University associate professor and wireless network security and privacy expert Aanjhan Ranganathan about Apple’s and Google’s cooperative effort to track the locations of citizens who have been in close proximity to known Covid victims (along with a slew of independent apps, some of which, unlike Apple’s and Google’s efforts, collect personal information, too). “Once the unique identity of Bluetooth-equipped devices has been accumulated, it could potentially become a big problem. And since this tracking method was shown by UCSD to be capable of using an indelible fingerprint at the physical layer, research into solving it became increasingly difficult.
“What these researchers have done is solve this problem with an obfuscation technique that can be easily installed in the firmware of Bluetooth chip sets without any hardware changes, making it a meritorious step forward.”
Bluetooth includes many capabilities in its official specification that support anonymous user tracking, starting with a constant (800 times a minute for an iPhone) broadcasting beacon which advertisers use to identify the availability of product information to Bluetooth devices in close proximity to their brick-and-mortar locations. Bluetooth even supports angle of arrival (AoA) and angle of departure (AoD) protocols to aid in beaming high-quality signals to users. Once a user (called the central Bluetooth device) is directed to connect with the advertising device (called the peripheral), a randomly chosen 48-bit address is generated by the central device and shared with the Bluetooth peripheral in a handshake operation that establishes a wireless connection.
Bluetooth standards organizations quickly realized hackers could “sniff” the device address after the handshake, thus identifying the user. To remedy this, Bluetooth chip sets support changing the device address every 15 to 20 minutes, but hackers quickly learned to program their computers to watch for when an address disappears, then watch for the instant appearance of a new address, which they (rightly, most of the time) assume is the new device address, thus enabling continuous tracking of the user, according to UCSD researchers.
Since then, the UCSD researchers identified an unintentionally unique bare-metal fingerprint at the physical layer of all current Bluetooth devices that, unlike the device address, cannot be changed after manufacture. Called the carrier frequency offset (CFO), it is analog and fixed during the idiosyncratic process of manufacturing a particular Bluetooth chip set. Even if the frequency is tested after manufacture, as long as it is within the ±150 kHz range specified by the Bluetooth standard, it passes testing and is shipped to original equipment manufacturers (OEMs). Since the imperfections are fixed and never exactly the same (since it is an analog property), they comprise a unique fingerprint for each smartphone, earbud, or other OEM device in which they are used. According to the UCSD researchers, hackers can assemble a software-defined radio to track these unique unchanging CFO fingerprints for under $200.
“A hacker’s software-defined radio can fingerprint today’s Bluetooth Low Power devices with 95% accuracy in just one minute,” said UCSD doctoral candidate Hadi Givehchian. “But our obfuscation of the fingerprint—which requires nothing more than updated firmware—makes identification economically unfeasible, since it would take 10 days of uninterrupted stationary monitoring to identify with 95% accuracy.”
It turns out that a Bluetooth Low Power chip set could compensate for its carrier frequency offset to make it appear near 0, but no manufacturer bothers because such a procedure would make the device too expensive to be competitive in price, since over five billion Bluetooth chip sets are manufactured every year, according to ABI Research Inc. The task would involve testing every manufactured chip set—instead of a sample from each production run—then uniquely fine-tuning its perceived carrier frequency offset to zero. Luckily, the UCSD researchers’ ability to obfuscate the fingerprint of each device requires no testing of devices or fine-tuning of the native carrier frequency offset of each chip set.
“You might think that just periodically randomly changing the carrier frequency offset would foil a hacker trying to identify a device’s fingerprint, but it turns out that all the adversary would have to do is average the randomly changing offset to slowly home in on the underlying fingerprint,” said Givehchian.
Secret Sauce
Since the device address can change every 15 to 20 minutes, the obfuscation algorithm changes the perceived fingerprint only when the device address changes, so both device address and the perceived physical layer fingerprint change simultaneously, making the device appear to be a new one to a hacker. The obfuscation range is chosen within the ±150 kHz range specified by the Bluetooth Low Energy standard, so as not to impact the demodulation accuracy of the Bluetooth signal. Choosing a fixed uniform or Gaussian distribution of randomized fingerprints, changed whenever a device address is randomized, would allow a determined adversary to identify the fingerprint with better than 50% accuracy by averaging over a very few hours. To extend that period to 24 hours, every 8 hours the mean of the Gaussian distribution is also randomized according to a uniform distribution, throwing the adversary off the trail for at least 24 hours (for better than 50% accuracy) longer than the typical Bluetooth device stays in one spot. To achieve the 95% accuracy that today’s hackers can achieve with non-obfuscated Bluetooth chip sets in just one minute, the researchers claim a continuous uninterrupted 10 days of observation with a hacker’s software-defined radio would be required if obfuscation is incorporated into the Bluetooth chipset’s firmware.
To boot, many other communication protocols—including Wi-Fi, Zigbee, and others—also can use the same basic algorithm to obfuscate their inherent physical-layer fingerprints. The researchers’ next project, on which they are already working, is the development of firmware updates that obfuscate other wireless communications protocols.
In testing, the researchers verified their ability to identify the unique physical-layer fingerprint in 1,000 non-obfuscated Bluetooth devices in the field and with 4,673 Wi-Fi devices. Unfortunately, testing with the obfuscating algorithm burned into the firmware was limited to devices using the Texas Instruments CC2640 Bluetooth processor, because it incorporates an Application Programming Interface (API) that allows changing the perceived CFO. Other Bluetooth chip sets do not provide such an API and the OEM Bluetooth devices consequently must use a proprietary technique to obfuscate the CFO. For many Wi-Fi chipsets, a digital signal processor (DSP) is used to control the CFO, so OEMs wishing to add obfuscation security to their Bluetooth and Wi-Fi devices (not using the Texas Instruments CC2640 chipset) will need to roll their own algorithm from the details provided in the UCSD paper, or contact the Center for Wireless Communications for help.
R. Colin Johnson is a Kyoto Prize Fellow who has worked as a technology journalist for two decades.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment