July 14th, 2024

Firmware Update Hides a Device's Bluetooth Fingerprint

Researchers at UC San Diego created a firmware update to conceal Bluetooth fingerprints, hindering device tracking. The update, presented at a security conference, reduces tracking accuracy, requiring prolonged observation for identification. Industry collaboration is sought.

Read original articleLink Icon
Firmware Update Hides a Device's Bluetooth Fingerprint

A team of researchers at the University of California San Diego has developed a firmware update to hide a device's Bluetooth fingerprint, addressing a vulnerability discovered in 2022. The update aims to prevent tracking of devices through their unique Bluetooth signals, which are constantly emitted by mobile devices. By implementing multiple layers of randomization, the update makes it challenging for attackers to infer a device's identity based on its Bluetooth fingerprint. The method was presented at the 2024 IEEE Security & Privacy conference and has been tested on smart devices like fitness trackers. The update significantly reduces the accuracy of tracking a device, requiring continuous observation for over 10 days to achieve the same level of accuracy as before. The researchers are now seeking industry partners to incorporate this technology into Bluetooth chipsets, with potential applications to obfuscate WiFi fingerprints as well.

Related

Vulnerability in Popular PC and Server Firmware

Vulnerability in Popular PC and Server Firmware

Eclypsium found a critical vulnerability (CVE-2024-0762) in Intel Core processors' Phoenix SecureCore UEFI firmware, potentially enabling privilege escalation and persistent attacks. Lenovo issued BIOS updates, emphasizing the significance of supply chain security.

Google's "Find My Device" automatically opts-in; opt-out link does not work

Google's "Find My Device" automatically opts-in; opt-out link does not work

To opt out of the "Find My Device" feature on Android, users can disable it in settings under Security. This enhances privacy and prevents remote tracking, empowering users with control over their device settings.

Apple admits its AirPods had a security problem

Apple admits its AirPods had a security problem

Apple addressed security vulnerabilities in AirPods and Beats Fit Pro headphones, preventing hackers from pairing devices with the wrong source. The company released updates to enhance customer protection, emphasizing privacy. Apple prioritizes privacy in its products, like Apple Intelligence, and declined AI collaborations with Meta over privacy concerns.

AirPods fast connect security vulnerability

AirPods fast connect security vulnerability

A security flaw (CVE-2024-27867) in Apple AirPods firmware allows unauthorized access via Bluetooth MAC address. Firmware updates released for affected models. Users with non-Apple devices may encounter difficulties updating.

Reverse Engineering a Smartwatch

Reverse Engineering a Smartwatch

Benjamen Lim reverse engineered a smartwatch with geolocating capabilities, repurposing it by reprogramming the firmware through exposed programming pins. The project showcased the value of salvaging electronic devices efficiently.

Link Icon 7 comments
By @schobi - 5 months
The article is indeed hard to understand on its own.

From the linked 2022 paper: BLE sends beacons hundred times per minute, even from phones. For privacy reasons the Mac addresses are randomized. The attacker can further analyze the beacons for imperfections in the rf signal and get a fingerprint for devices from frequency offsets/drift/iq imbalance.

Haven't seen the new paper, but the article suggests the a firmware change can even reduce this attack vector. I guess that introducing further randomization in chipset parameters for each beacon can make this kind of tracking harder still. I doubt that this hides all aspects of fingerprinting and settings stepsizes would still be observable, just harder to track. "Randomization pattern F is this manufacturer gen 2025 devices"

My take on this: most of the day, I would not need any beacons at all - maybe there is an intelligent limit on avoiding them? Configurable? Only when unlocked? Only when in motion? Sometimes sending half the beacons would double the time needed for tracking already. Again, this would boil down to "a firmware update could improve privacy"

By @barbegal - 5 months
I think they have linked to the wrong paper. This paper https://cseweb.ucsd.edu/~schulman/docs/oakland24-phyobfuscat... more closely matches the article and it explains that the obfuscation is possible due to the TI CC2640 having a variable frequency synthesiser which has 16 bits of resolution. It's a clever technique but I'm not sure it is easily implemented on other chipsets. And this is only valid against one fingerprinting methodology: carrier frequency offset (CFO), there are other fingerprinting techniques which are more difficult to defend against.
By @transpute - 5 months
Wi-Fi radios can be similarly identified, "Wi-Fi device identification based on multi-domain physical layer fingerprint" (2023), https://www.sciencedirect.com/science/article/abs/pii/S01403...

> A possible solution for authenticating IoT devices with limited computing resources when accessing wireless networks is to extract a unique and unclonable identifier of the device.. The effectiveness of the physical layer fingerprint lies in the subtle random differences that occur during the manufacturing process of the device.. The accuracy of Wi-Fi device identification based on physical layer fingerprint features.. can reach 98% for 15 different types of IoT Wi-Fi devices, and 90.76% for 10 network cards, having smaller differences in manufacturing, with the same type of chips.

Of course, if Auto-Join is enabled, the client device broadcasts the Wi-Fi access points it has previously joined, which can be informative without an SDR.

By @jtrueb - 5 months
> “This defense can be rolled out incrementally, requiring only software modification on at least one widely-used Bluetooth Low Energy chipset,” said Hadi Givehchian, the paper’s first author and a Ph.D. student in the UC San Diego Department of Computer Science and Engineering. “But in order to deploy this defense widely, we need to partner with Bluetooth chip manufacturers.”

Essentially, this is useless. It doesn’t apply to most chipsets and would require changing the firmware on existing beacon hardware. The chip manufacturers would have put this in the hardware if they wanted it.

By @IshKebab - 5 months
This is a very confusing article. Surely it's the beacons that transmit beacons, not phones? And what is the signature based on? What is the fix? Terrible reporting.

In any case I doubt this has much practical impact given you presumably need an SDR to do this tracking.

By @motohagiography - 5 months
it appears from the article this method of detection is viable until chipset mfgs adopt the randomization technique.
By @ChrisMarshallNY - 5 months
Apple has been obfuscating the bluetooth MAC for a while.