Researchers for Boston University have found a security vulnerability in the Bluetooth communication protocol which could allow hackers to track and identify devices from Apple and Microsoft.
Among the impacted Apple devices are Macs, iPhones, iPads, and the Apple Watch, as well as the Microsoft tablets and laptops. Currently, Android devices are not affected.
As stated in the research paper [PDF], Bluetooth devices use public channels to announce their presence to other devices.
Most devices broadcast a randomized address which periodically changes rather than a Media Access Control (MAC) address to prevent device tracking. However, the security experts have found that it is possible to extract identifying tokens which allow a device to be tracked even when this randomized address changes by exploiting the address-carryover algorithm.
“We present an online algorithm called the address-carryover algorithm, which exploits the fact that identifying tokens and the random address do not change in sync, to continuously track a device despite implementing anonymization measures. To our knowledge, this approach affects all Windows 10, iOS, and macOS devices.
The algorithm does not require message decryption or breaking Bluetooth security in any way, as it is based entirely on public, unencrypted advertising traffic.”
The tracking method which was outlined in the research paper could lead to an identity-exposing attack which allows for “permanent, non-continuous tracking,” plus an iOS side-channel that “allows insights into user activity.”
“iOS or macOS devices have two identifying tokens (nearby, handoff) which change in different intervals. In many cases, the values of the identifying tokens change in sync with the address. However, in some cases the token change does not happen in the same moment, which allows the carry-over algorithm to identify the next random address.”
At this point, it is not clear if the described method has been used by hackers for tracking Apple devices via Bluetooth, however, it would be undetectable as it does not require breaking Bluetooth security.
Recommendations on how to mitigate the tracking vulnerability can be found in the research paper mentioned above.