Research published this month by a team from Boston University has revealed a number of flaws in the way that Bluetooth Low Energy functionality is implemented on a wide range of consumer devices.

These devices – including both Apple and Microsoft Bluetooth devices – advertise their availability on open channels, and this opens the way for global device tracking. With spyware in the IoT becoming a major source of concern for cybersecurity researchers, this new research indicates that the problem may be even larger than we imagined.

The flaw

The paper describes a methodology for identifying Bluetooth devices, even when their MAC addresses are hidden or randomized.

In early implementations of the Bluetooth protocol, devices ‘advertised’ their presence by broadcasting data on so-called ‘advertising channels’. This system was designed to allow Bluetooth devices to be paired easily but had some significant security vulnerabilities.

Specifically, devices sent their Bluetooth MAC address to these channels. This is a permanent address, and so anyone within a few meters of the device was able to collect a unique identifier. This could then be used to track a Bluetooth device wherever it went.

In order to combat this problem, the Bluetooth Low Energy standard moved away from using open MAC addresses. Instead, devices using the protocol are given randomized, temporary addresses. These were believed to make newer Bluetooth devices untrackable.