[Cryptography] Threat Model: Bluetooth tracking beacons

Kent Borg kentborg at borg.org
Sat Sep 24 19:00:29 EDT 2016 

On 09/24/2016 12:50 PM, Henry Baker wrote:
> Anyone here have any good ideas of the *minimal* changes in Bluetooth protocols to render these "beacons" (actually trackers) useless?

My Android phone gives the impression it has (about) three Bluetooth modes:

1) Off.

2) Discoverable.

3) On, but not discoverable.

What does #3 mean? Not pairable, but still exposed?

I long ago read that Bluetooth is encrypted (as if that necessarily 
means something real). I was vaguely assuming that if my phone is 
talking to my smartwatch it was doing so encrypted, and though someone 
might do some analog fingerprinting of the radio, or correlate with more 
public cell radio IDs, the Bluetooth didn't say who it is except when it 
is in "discoverable" mode.

Um, so there is a durable MAC address-like value that IDs my watch and 
phone, and can be observed as I come into and go out of range? That's no 
fun.

However, on 09/24/2016 05:52 PM, Natanael wrote:
>
> Bluetooth 4.2 LE Privacy 1.2
>
> https://www.bluetooth.org/DocMan/handlers/DownloadDoc.ashx?doc_id=286439
>
> > 5.4.5  Privacy Feature Bluetooth LE supports  a feature that reduces 
> the ability to  track a LE device over a period of time by changing 
> the Bluetooth device address on a frequent basis. The privacy feature 
> is not  used in the GAP discovery mode and procedures but it is used, 
> when  supported, during connection mode and connection procedures.
>
> > In order for a device using the privacy feature to reconnect to 
> known devices, the device address, referred to as the private address, 
> must be resolvable by the other device. The private address is 
> generated using the device’s  resolving identity key (IRK)  exchanged 
> during the  bonding procedure.
>
> > 6.5   DEVICE PRIVACY A private device shall not use its Identity  
> Address in any packet type used on the advertising channels.
>
> > 10.7   PRIVACY FEATURE The privacy feature provides  a level of 
> privacy which  makes it more difficult for an attacker to track a 
> device over a  period of time. The requirements for a device to 
> support the privacy feature are defined in  Table 10.3.
>
> And so on...
>

...for an additional 2500-something-pages. (Okay, not all about privacy, 
because Bluetooth is big, but a privacy gotcha could be hidden 
anywhere--nearly three-thousand total pages in the public spec sounds 
like a complex system.)

So does that mean the common Bluetooth devices (iphones, Androids, 
Fitbits, battery-hungry smartwatches, Pebble smartwatches, audio 
devices...) do that privacy stuff or not? (And does it work?)

-kb, the Kent who continues to be fret that our systems are both so 
complex that we don't know what they do, and that the details at all of 
the system boundaries are so poorly defined that no one could know what 
they do.

More information about the cryptography mailing list