Abstract / Description of output
Bluetooth Classic (BT) remains the de facto connectivity technology in car stereo systems, wireless headsets, laptops, and a plethora of wearables, especially for applications that require high data rates, such as audio streaming, voice calling, tethering, etc. Unlike in Bluetooth Low Energy (BLE), where address randomization is a feature available to manufactures, BT addresses are not randomized because they are largely believed to be immune to tracking attacks. We analyze the design of BT and devise a robust de-anonymization technique that hinges on the apparently benign information leaking from frame encoding, to infer a piconet’s clock, hopping sequence, and ultimately the Upper Address Part (UAP) of the master device’s physical address, which are never exchanged in clear. Used together with the Lower Address Part (LAP), which is present in all frames transmitted, this enables tracking of the piconet master, thereby debunking the privacy guarantees of BT. We validate this attack by developing the first Software-defined Radio (SDR) based sniffer that allows full BT spectrum analysis (79 MHz) and implements the proposed de-anonymization technique. We study the feasibility of privacy attacks with multiple testbeds, considering different numbers of devices, traffic regimes, and communication ranges. We demonstrate that it is possible to track BT devices up to 85 meters from the sniffer, and achieve more than 80% device identification accuracy within less than 1 second of sniffing and 100% detection within less than 4 seconds. Lastly, we study the identified privacy attack in the wild, capturing BT traffic at a road junction over 5 days, demonstrating that our system can re-identify hundreds of users and infer their commuting patterns.
Original language | English |
---|---|
Title of host publication | 2020 IEEE Symposium on Security and Privacy (SP) |
Place of Publication | San Francisco, CA, USA |
Publisher | Institute of Electrical and Electronics Engineers |
Pages | 534-548 |
Number of pages | 15 |
ISBN (Electronic) | 978-1-7281-3497-0 |
ISBN (Print) | 978-1-7281-3498-7 |
DOIs | |
Publication status | Published - 30 Jul 2020 |
Event | 41st IEEE Symposium on Security and Privacy - The Hyatt Regency, San Francisco, United States Duration: 18 May 2020 → 20 May 2020 Conference number: 41 http://www.ieee-security.org/TC/SP2020/ |
Publication series
Name | |
---|---|
Publisher | IEEE |
ISSN (Print) | 1081-6011 |
ISSN (Electronic) | 2375-1207 |
Conference
Conference | 41st IEEE Symposium on Security and Privacy |
---|---|
Abbreviated title | SP 2020 |
Country/Territory | United States |
City | San Francisco |
Period | 18/05/20 → 20/05/20 |
Internet address |