Firmware Update Hides a Device's Bluetooth Fingerprint

The article is indeed hard to understand on its own.

From the linked 2022 paper: BLE sends beacons hundred times per minute, even from phones. For privacy reasons the Mac addresses are randomized. The attacker can further analyze the beacons for imperfections in the rf signal and get a fingerprint for devices from frequency offsets/drift/iq imbalance.

Haven't seen the new paper, but the article suggests the a firmware change can even reduce this attack vector. I guess that introducing further randomization in chipset parameters for each beacon can make this kind of tracking harder still. I doubt that this hides all aspects of fingerprinting and settings stepsizes would still be observable, just harder to track. "Randomization pattern F is this manufacturer gen 2025 devices"

My take on this: most of the day, I would not need any beacons at all - maybe there is an intelligent limit on avoiding them? Configurable? Only when unlocked? Only when in motion? Sometimes sending half the beacons would double the time needed for tracking already. Again, this would boil down to "a firmware update could improve privacy"

I think they have linked to the wrong paper. This paper https://cseweb.ucsd.edu/~schulman/docs/oakland24-phyobfuscat... more closely matches the article and it explains that the obfuscation is possible due to the TI CC2640 having a variable frequency synthesiser which has 16 bits of resolution. It's a clever technique but I'm not sure it is easily implemented on other chipsets. And this is only valid against one fingerprinting methodology: carrier frequency offset (CFO), there are other fingerprinting techniques which are more difficult to defend against.

Wi-Fi radios can be similarly identified, "Wi-Fi device identification based on multi-domain physical layer fingerprint" (2023), https://www.sciencedirect.com/science/article/abs/pii/S01403...

> A possible solution for authenticating IoT devices with limited computing resources when accessing wireless networks is to extract a unique and unclonable identifier of the device.. The effectiveness of the physical layer fingerprint lies in the subtle random differences that occur during the manufacturing process of the device.. The accuracy of Wi-Fi device identification based on physical layer fingerprint features.. can reach 98% for 15 different types of IoT Wi-Fi devices, and 90.76% for 10 network cards, having smaller differences in manufacturing, with the same type of chips.

Of course, if Auto-Join is enabled, the client device broadcasts the Wi-Fi access points it has previously joined, which can be informative without an SDR.

> “This defense can be rolled out incrementally, requiring only software modification on at least one widely-used Bluetooth Low Energy chipset,” said Hadi Givehchian, the paper’s first author and a Ph.D. student in the UC San Diego Department of Computer Science and Engineering. “But in order to deploy this defense widely, we need to partner with Bluetooth chip manufacturers.”

Essentially, this is useless. It doesn’t apply to most chipsets and would require changing the firmware on existing beacon hardware. The chip manufacturers would have put this in the hardware if they wanted it.

This is a very confusing article. Surely it's the beacons that transmit beacons, not phones? And what is the signature based on? What is the fix? Terrible reporting.

In any case I doubt this has much practical impact given you presumably need an SDR to do this tracking.

it appears from the article this method of detection is viable until chipset mfgs adopt the randomization technique.

Apple has been obfuscating the bluetooth MAC for a while.