Even Black Cats Cannot Stay Hidden in the Dark: Full-band De-anonymization of Bluetooth Classic Devices

Marco Cominelli, Francesco Gringoli, Margus Lind, Paul Patras, Guevara Noubir

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract / Description of output

Bluetooth Classic (BT) remains the de facto connectivity technology in car stereo systems, wireless headsets, laptops, and a plethora of wearables, especially for applications that require high data rates, such as audio streaming, voice calling, tethering, etc. Unlike in Bluetooth Low Energy (BLE), where address randomization is a feature available to manufactures, BT addresses are not randomized because they are largely believed to be immune to tracking attacks. We analyze the design of BT and devise a robust de-anonymization technique that hinges on the apparently benign information leaking from frame encoding, to infer a piconet’s clock, hopping sequence, and ultimately the Upper Address Part (UAP) of the master device’s physical address, which are never exchanged in clear. Used together with the Lower Address Part (LAP), which is present in all frames transmitted, this enables tracking of the piconet master, thereby debunking the privacy guarantees of BT. We validate this attack by developing the first Software-defined Radio (SDR) based sniffer that allows full BT spectrum analysis (79 MHz) and implements the proposed de-anonymization technique. We study the feasibility of privacy attacks with multiple testbeds, considering different numbers of devices, traffic regimes, and communication ranges. We demonstrate that it is possible to track BT devices up to 85 meters from the sniffer, and achieve more than 80% device identification accuracy within less than 1 second of sniffing and 100% detection within less than 4 seconds. Lastly, we study the identified privacy attack in the wild, capturing BT traffic at a road junction over 5 days, demonstrating that our system can re-identify hundreds of users and infer their commuting patterns.
Original languageEnglish
Title of host publication2020 IEEE Symposium on Security and Privacy (SP)
Place of PublicationSan Francisco, CA, USA
PublisherInstitute of Electrical and Electronics Engineers
Pages534-548
Number of pages15
ISBN (Electronic)978-1-7281-3497-0
ISBN (Print)978-1-7281-3498-7
DOIs
Publication statusPublished - 30 Jul 2020
Event41st IEEE Symposium on Security and Privacy - The Hyatt Regency, San Francisco, United States
Duration: 18 May 202020 May 2020
Conference number: 41
http://www.ieee-security.org/TC/SP2020/

Publication series

Name
PublisherIEEE
ISSN (Print)1081-6011
ISSN (Electronic)2375-1207

Conference

Conference41st IEEE Symposium on Security and Privacy
Abbreviated titleSP 2020
Country/TerritoryUnited States
CitySan Francisco
Period18/05/2020/05/20
Internet address

Fingerprint

Dive into the research topics of 'Even Black Cats Cannot Stay Hidden in the Dark: Full-band De-anonymization of Bluetooth Classic Devices'. Together they form a unique fingerprint.

Cite this