Serious Bluetooth security flaw officially acknowledged; now patched by Apple & Microsoft 2019
Posted by Repair Media on
To prevent tracking, most devices broadcast a randomized address that periodically changes rather than a Media Access Control (MAC) address, but the researchers have found that it is possible to extract identifying tokens that allow a device to be tracked even when this randomized address changes by exploiting the address-carryover algorithm.
We present an online algorithm called the address-carryover algorithm, which exploits the fact that identifying tokens and the random address do not change in sync, to continuously track a device despite implementing anonymization measures. To our knowledge, this approach affects all Windows 10, iOS, and macOS devices.Source: Research PDF
The algorithm does not require message decryption or breaking Bluetooth security in any way, as it is based entirely on public, unencrypted advertising traffic.
A media access control address (MAC address) of a device is a unique identifier assigned to a network interface controller (NIC). For communications within a network segment, it is used as a network address for most IEEE 802 network technologies, including Ethernet, Wi-Fi, and Bluetooth. Within the Open Systems Interconnection (OSI) model, MAC addresses are used in the medium access control protocol sublayer of the data link layer. As typically represented, MAC addresses are recognizable as six groups of two hexadecimal digits, separated by hyphens, colons, or no separator (see Notational conventions below).
A MAC address may be referred to as the burned-in address, and is also known as an Ethernet hardware address, hardware address, and physical address (not to be confused with a memory physical address).
The tracking method explained in the research paper has the potential to allow for an identity-exposing attack that allows for "permanent, non-continuous tracking," plus an iOS side-channel that "allows insights into user activity."
iOS or macOS devices have two identifying tokens (nearby, handoff) which change in different intervals. In many cases, the values of the identifying tokens change in sync with the address. However, in some cases the token change does not happen in the same moment, which allows the carry-over algorithm to identify the next random address.
Android devices do not use the same advertising approach as Microsoft and Apple, and are immune to the data tracking methods used by the researchers.
It's not clear if the method described has been used by any bad actors for the purpose of tracking Apple devices using Bluetooth, but it would be undetectable as it does not require breaking Bluetooth security. The research paper contains several recommendations on how to mitigate the tracking vulnerability, and Apple is often quick to patch any security issues that come up, so we could see a fix for this problem in the near future
- Open the “Settings” app on the iPhone or iPad.
- Go to “iTunes & App Store”
- Under the 'Automatic Downloads' section, look for “Updates” and toggle that switch to the ON position.
- Exit out of Settings as usual.
However Luckily, most of the affected chip manufacturers, like Intel, Microsoft and Apple, have already implemented a fix and pushed out a new security 2019 update. Here are the potentially affected companies and how you can update your hardware:
Regardless of whether there’s been a newly discovered exploit, it’s always a good idea to keep your software and firmware up-to-date. Having the latest security updates can protect you from any potential hacks and keep your data — and devices — safe.
RepairMedia Always suggests you update your devices.
Keeping the operating system up to date is the best way to keep protected with security patches.
