[Cryptography] Threat Model: Bluetooth tracking beacons
Kent Borg
kentborg at borg.org
Sat Sep 24 19:00:29 EDT 2016
On 09/24/2016 12:50 PM, Henry Baker wrote:
> Anyone here have any good ideas of the *minimal* changes in Bluetooth protocols to render these "beacons" (actually trackers) useless?
My Android phone gives the impression it has (about) three Bluetooth modes:
1) Off.
2) Discoverable.
3) On, but not discoverable.
What does #3 mean? Not pairable, but still exposed?
I long ago read that Bluetooth is encrypted (as if that necessarily
means something real). I was vaguely assuming that if my phone is
talking to my smartwatch it was doing so encrypted, and though someone
might do some analog fingerprinting of the radio, or correlate with more
public cell radio IDs, the Bluetooth didn't say who it is except when it
is in "discoverable" mode.
Um, so there is a durable MAC address-like value that IDs my watch and
phone, and can be observed as I come into and go out of range? That's no
fun.
However, on 09/24/2016 05:52 PM, Natanael wrote:
>
> Bluetooth 4.2 LE Privacy 1.2
>
> https://www.bluetooth.org/DocMan/handlers/DownloadDoc.ashx?doc_id=286439
>
> > 5.4.5 Privacy Feature Bluetooth LE supports a feature that reduces
> the ability to track a LE device over a period of time by changing
> the Bluetooth device address on a frequent basis. The privacy feature
> is not used in the GAP discovery mode and procedures but it is used,
> when supported, during connection mode and connection procedures.
>
> > In order for a device using the privacy feature to reconnect to
> known devices, the device address, referred to as the private address,
> must be resolvable by the other device. The private address is
> generated using the device’s resolving identity key (IRK) exchanged
> during the bonding procedure.
>
> > 6.5 DEVICE PRIVACY A private device shall not use its Identity
> Address in any packet type used on the advertising channels.
>
> > 10.7 PRIVACY FEATURE The privacy feature provides a level of
> privacy which makes it more difficult for an attacker to track a
> device over a period of time. The requirements for a device to
> support the privacy feature are defined in Table 10.3.
>
> And so on...
>
...for an additional 2500-something-pages. (Okay, not all about privacy,
because Bluetooth is big, but a privacy gotcha could be hidden
anywhere--nearly three-thousand total pages in the public spec sounds
like a complex system.)
So does that mean the common Bluetooth devices (iphones, Androids,
Fitbits, battery-hungry smartwatches, Pebble smartwatches, audio
devices...) do that privacy stuff or not? (And does it work?)
-kb, the Kent who continues to be fret that our systems are both so
complex that we don't know what they do, and that the details at all of
the system boundaries are so poorly defined that no one could know what
they do.
More information about the cryptography
mailing list