Smartphones identification techniques for Bluetooth broadcast activity

A group of researchers from the University of California at San Diego identification mobile devices on the Beacon-signals sent on the air using Bluetooth Low Energy (BLE) and used passive Bluetooth receivers to determine the appearance of new devices within reach .

Depending on the implementation of the Beacon, signals are sent with a frequency of about 500 times per minute and, as planned by the creators of the standard, are completely depersonalized and cannot be used to bind to the user. In practice, the situation turned out to be different and when sending the signal is distorted under the influence of the features that occur during the production of each individual device. Distortion data, which for many devices are unique and constant, can be identified using typical programmable acceptors (SDR, Software Defined Radio). The total cost of an attack for an attack is estimated at approximately $ 200.


In practice, the identified feature allows you to identify the device, regardless of the use of such means of protection against identification as randomization of the MAC addresses. Examples of code for extracting unique marks from an intercepted signal published on Github. For the iPhone, the range of tags, sufficient for identification, was 7 meters, with an active application for tracking the COVID-19 contacts. For Android devices for identification, it is necessary to approach a lesser distance.

To confirm the work of the method in practice in public places, such as a cafe, several experiments were conducted. During the first experiment, 162 devices were analyzed, of which unique identifiers were formed for 40%. In the second experiment, 647 mobile devices were studied, and unique identifiers were formed for 47% of them. In conclusion, the possibility of using generated identifiers was demonstrated to track the movement of volunteers who agreed to participate in the experiment.

Researchers also noted several problems that make it difficult to conduct identification. For example, the parameters of the Beacon signal are influenced by the change in temperature, and not the distance of the mark of the label is affected by the change in the power of the Bluetooth symbol used on some devices. To block the identification method, it is proposed to filter the signal at the firmware level to the Bluetooth chip or use special hardware protection methods. Bluetooth shutdown is not always enough, since some devices (for example, Apple smartphones) continue to send Beacon signals even with the Bluetooth turned off and a complete shutdown of the device is required to block the sending.

/Media reports.