Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Newly discovered Bluetooth exploit tracks iOS, macOS devices

Last updated

Researchers have identified a flaw in the Bluetooth communication protocol that may expose iOS, macOS, and Microsoft users to device tracking.

The vulnerability could be used to spy on users, regardless of OS protections that are in place. Currently, it is thought that this flaw affects devices with Windows 10, macOS, and iOS. Devices affected could be iPhones, iPads, MacBooks and iMacs, Apple Watches, and any Microsoft laptop or tablet. This news has come months after the news of the "Torpedo" location detection exploit.

According to ZDnet, David Starobinski and Johannes Becker, two researchers from Boston University, presented the results of their research at the 19th Privacy Enhancing Technologies Symposium in Stockholm, Sweden.

Their research shows that many Bluetooth devices will use MAC addresses when advertising their presence to prevent long-term tracking, but it's possible to circumvent the randomization of these addresses, allowing a specific device to be permanently monitored.

Identifying tokens are issued alongside MAC addresses and an algorithm developed by Boston University — called an address-carryover algorithm — is able to exploit the address. According to the research paper, "The algorithm does not require message decryption or breaking Bluetooth security in any way, as it is based entirely on public, unencrypted advertising traffic."

During their experiments, researchers tested Apple and Microsoft devices, analyzing BLE advertising channels and events within standard Bluetooth proximities. Over a period of time, advertising log files were passively collected, and from the data researchers were able to find device ID tokens.

"We identified that devices running Windows 10, iOS or macOS regularly transmit advertising events containing custom data structures which are used to enable certain platform-specific interaction with other devices within BLE range," the paper reads.

The identities can then be incorporated into an algorithm to track devices.

While iOS, macOS, and Windows 10 systems are affected, Android operating systems appear immune due to differences in handling identifying tokens.

Exploits have caused trouble for Apple in the past, including the now fixed FaceTime exploit that allowed callers to hear someones audio before they answered the call. Continued pressure from lawmakers will likely have Apple and Microsoft searching for a fix.



26 Comments

gatorguy 13 Years · 24628 comments

"While iOS, macOS, and Windows 10 systems are affected, Android operating systems appear immune due to differences in handling BLE advertising."

Well that's a thread killer. I doubt very many here will acknowledge even reading this article by commenting on it if Android is safe from the exploit but some Apple OS'es aren't. 

macplusplus 9 Years · 2116 comments

What a big discovery !

"We identified that devices running Windows 10, iOS or macOS regularly transmit advertising events containing custom data structures which are used to enable certain platform-specific interaction with other devices within BLE range," the paper reads.

Those custom data structures will be modified or removed in the next system update then the “research” will become irrelevant.

What is the range of Bluetooth LE? 9 meters or so? The victim’s location must be bugged to collect that continuous traffic logs. And the collecting van must park to the victim’s location as closely as possible during that loooong collection task...

space2001 10 Years · 44 comments

What a big discovery !

"We identified that devices running Windows 10, iOS or macOS regularly transmit advertising events containing custom data structures which are used to enable certain platform-specific interaction with other devices within BLE range," the paper reads.

Those custom dats structures will be modified or removed in the next system update then the “research” will become irrelevant.

What is the range of Bluetooth LE? 9 meters or so? The victim’s location must be bugged to collect that continuous traffic logs. And the collecting van must park to the victim’s location as closely as possible during that loooong collection task...

Hmmm, perhaps one of those new-fangled smart bulbs could have it's firmware hacked/modified to collect a log of nearby bluetooth traffic... it would be hiding in plain sight. Substitue any other smart device of your choice - lock, switch, thermostat, fan,...

gatorguy 13 Years · 24628 comments

What a big discovery !

"We identified that devices running Windows 10, iOS or macOS regularly transmit advertising events containing custom data structures which are used to enable certain platform-specific interaction with other devices within BLE range," the paper reads.

Those custom dats structures will be modified or removed in the next system update then the “research” will become irrelevant.

What is the range of Bluetooth LE? 9 meters or so? The victim’s location must be bugged to collect that continuous traffic logs. And the collecting van must park to the victim’s location as closely as possible during that loooong collection task...

Another thing to be aware when sitting at the coffee shop working with your iPhone, iPad, or laptop?  

Last I knew Apple's default setting is to leave Bluetooth on, I suppose to allow interaction with beacons. At least at one point Apple devices, under certain conditions, would turn it back on even after the user had disabled it. Might be worth checking before using your device in a public setting. 

@macplusplus , congrats on willingness to comment. Respect...

normang 17 Years · 118 comments

Bluetooth is on by default probably because millions of users connect headphones and Apple Watches to their devices, as well as other electronics to long to be listed.. Somehow this does not seem like a big issue and will now be fixed in some fashion in IOS13 and perhaps even in 12.4.