A team of researchers at the University of California San Diego has developed a method for identifying mobile devices by beacons sent over the air using Bluetooth Low Energy (BLE) and used by passive Bluetooth receivers to detect when new devices are in range.
Depending on the implementation, beacon signals are sent at a frequency of approximately 500 times per minute and, as conceived by the creators of the standard, are completely anonymized and cannot be used to bind to a user. In reality, the situation turned out to be different, and when sent, the signal is distorted under the influence of features that arise during the production of each individual chip. These distortions, which are unique and constant for each device, can be detected using typical programmable transceivers (SDR, Software Defined Radio).
The problem manifests itself in combination chips that combine Wi-Fi and Bluetooth functionality, use a common master oscillator and several analog components operating in parallel, the characteristics of which lead to asymmetry in phase and amplitude. The total cost of the attack equipment is estimated to be approximately $200. Code examples for extracting unique labels from an intercepted signal are published on GitHub.
In practice, the identified feature allows you to identify the device, regardless of the use of such means of protection against identification, such as randomization of MAC addresses. For iPhone, the range of receiving tags, sufficient for identification, was 7 meters, with the application for COVID-19 contact tracing active. For Android devices, closer proximity is required for identification.
Several experiments were carried out to confirm the method in practice in public places, such as cafes. During the first experiment, 162 devices were analyzed, of which 40% were able to generate unique identifiers. In the second experiment, 647 mobile devices were studied, and unique identifiers were generated for 47% of them. In conclusion, the possibility of using the generated identifiers to track the movement of devices of volunteers who agreed to participate in the experiment was demonstrated.
The researchers also noted several problems that make identification difficult. For example, the parameters of the beacon signal are affected by changes in temperature, and not the distance of receiving the tag is affected by the change in Bluetooth signal strength applied on some devices. To block the identification method in question, it is proposed to filter the signal at the firmware level to the Bluetooth chip or use special hardware protection methods. Disabling Bluetooth is not always sufficient, as some devices (such as Apple smartphones) continue to send beacon signals even when Bluetooth is turned off, and the device must be completely turned off to block the sending.
Source: opennet.ru