[Cryptography] Threat Model: Bluetooth tracking beacons

[Henry Baker]

FYI --

https://motherboard.vice.com/read/apple-deleting-the-iphones-audio-jack-is-good-news-for-marketing-companies

Apple Deleting the iPhone's Audio Jack Is Good News for Marketing Companies

Written by Joshua Kopstein  September 23, 2016 // 08:00 AM EST

Apple's much-anticipated decision to nix the headphone jack on its newest iPhone has understandably made a lot of people very angry.  But there's at least one industry that's jumping for joy over the death of the ubiquitous audio plug: Marketing companies that track your phone's location and target you with ads.

The reason for the celebration is Bluetooth beacons, a "proximity marketing" technology that's been pushed by the ad-tech industry for years.  The beacons come from tiny Bluetooth Low-Energy (BTLE) transmitters that have already been planted inside many retail stores, airports, and museums, which send signals to nearby mobile devices.  If your device has Bluetooth enabled and comes in range of a beacon (say, in a clothing store) any apps you've installed that are listening for Bluetooth beacons can determine exactly where you are, target you with ads, or record your real-world shopping habits, among other things.

And now that Apple has gotten rid of the iPhone's headphone jack, marketers are anticipating that a whole lot of people will soon be leaving their Bluetooth enabled, effectively "opting in" to the beacons' tracking.

The renewed relevance of beacons was a topic of excitement at Place Conference, a location marketing summit held earlier this week at the University of Chicago.  There, a session on Bluetooth beacon adoption specifically mentioned Apple's removal of the iPhone headphone jack as an opportunity for tracking beacons, which require Bluetooth to be left on to work.

Marketers and tracking companies have long tried to fight criticism of Bluetooth beacons by claiming that the tracking is done with users' consent.  One company, Estimote, describes them as "an opt-in tech to enhance user experience."  The session's presenters also dismissed the privacy concerns surrounding beacons, saying the tracking is "really no different from GPS."

Big tech firms are already on the beacon bandwagon too.  Apple announced its iBeacons platform back in 2013, paving the way for Bluetooth-enabled iOS devices to receive beacons for a variety of purposes--from pushing ads or coupons to shoppers who linger in certain sections of a department store to sending tourists notifications with information about nearby landmarks.  The free LinkNYC WiFi kiosks now scattered about New York City, paid for in part by a Google spin-off company called Sidewalk Labs, are also capable of sending advertising beacons to logged-in users.

https://motherboard.vice.com/read/linknycs-new-free-network-is-blazing-fast-but-at-what-cost-to-privacy

"Marketers are trying to trick people by saying the standalone beacons don't actively track people because they only send pings" to your device, said Adam Harvey, an artist and privacy technologist who has studied Bluetooth beacon tracking.  "Of course beacons are used to track you.  That's the whole point.  Marketers want to know who you are, where you came from, and exactly where you're standing right now with centimeter precision."

Currently, you can "opt out" of the tracking by avoiding apps that use beacons and remembering to keep Bluetooth off on your device.  But the boundaries of consent get really blurry when everyone starts walking around with devices like the headphone jack-less iPhone 7, which basically require Bluetooth to be left on constantly to do basic things like listen to music.

Granted, iOS' privacy controls let you choose which apps can receive beacons by enabling or disabling them in Location Services.  But there's currently no way to disable an app's ability to receive Bluetooth beacons without removing its location access entirely.  You can also avoid Bluetooth on the new iPhone by attaching a $10 headphone adapter, but whether users embrace that clunky solution in the long-term remains to be seen.

The potential uses for beacon-based surveillance goes far beyond advertising.  In a 2008 study, researchers used high-accuracy Bluetooth tracking to monitor prisoners in order to gather intelligence on their activities and map out on their social connections.

To be fair, not all applications of beacon technology are marketing or surveillance-oriented.  Google's Eddystone beacon platform aims to establish a degree of privacy by offering what the company calls an "Ephemeral Identifiers," a unique code given to every beacon device that can be constantly changed, preventing third parties from establishing any useful information about the beacon or the devices it connects with.

But ultimately, said Harvey, the goal of advertisers in spreading the adoption of beacons is clear--especially in a post-headphone jack world where users are much more reliant on Bluetooth.

"To consumers, beacon tracking systems are marketed as privacy friendly," said Harvey.  "To marketers working in retail-surveillance, beacons are more aptly called 'cookies for the physical world.'"

"This is beyond privacy.  It's about programming human behavior," he added.
----

OK, here's a real-world threat.

Anyone here have any good ideas of the *minimal* changes in Bluetooth protocols to render these "beacons" (actually trackers) useless?

The problem, of course, is that the Bluetooth earbuds, Bluetooth keyboards, Bluetooth car connections, etc., also have to be able to work.  Ideally, a solution would enable some sort of "mac hopping" (analogous to frequency hopping) that would work in real time even when one is listening to music or on a telephone call.

I don't know as much about the Bluetooth protocols, but Apple does have mac randomization for wifi[1].  I'm not sure that mac randomization does very much for privacy, or whether it would work for Bluetooth; my guess is that the communicating Bluetooth devices would also have to be modified/upgraded, as well.

Also, of course, you're going to have to throw away your Fitbit, your BLE heart rate monitor, your $5,000 gold iWatch, etc. [2]

[1] http://appleinsider.com/articles/14/06/09/mac-address-randomization-joins-apples-heap-of-ios-8-privacy-improvements

[2] https://www.cnet.com/news/why-10000-price-tag-on-gold-apple-watch-edition-wouldnt-be-crazy/