Bluetooth reveals security loopholes in smart tech

Signals transmitted by many mobile phones and leading fitness monitors via Bluetooth Low Energy can be easily recorded and monitored, new research has shown.

Researchers from cyber-security consultancy Context have developed an app that scans, detects and logs wearable devices in an attempt to show how easy it is to track signals transmitted by gadgets.

“Many people wearing fitness devices don’t realise that they are broadcasting constantly and that these broadcasts can often be attributed to a unique device,” said Scott Lester, a senior researcher at Context.  

“Using cheap hardware or a smartphone, it could be possible to identify and locate a particular device – that may belong to a celebrity, politician or senior business executive – within 100 metres in the open air.

“This information could be used for social engineering as part of a planned cyber-attack or for physical crime by knowing peoples’ movements.”

Bluetooth Low Energy (BLE) was introduced in 2010 for new apps that relied on transmitting signals, but without draining the battery. Like other network protocols it relies on identifying devices by their MAC address, but researchers found that in most cases these don’t change.  

“My own fitness tracker has had the same MAC address since we started the investigation, even though it’s completely run out of battery once,” said Lester.

Sometimes the transmitted packets also contain the device name, which may be unique, such as the ‘Garmin Vivosmart #12345678’, or even give the name of the user, such as ‘Scott’s Watch’.

BLE is also gaining ground in mobile phones and is supported by iOS5 and later, Windows Phone 8.1, Windows 8, Android 4.3 and later, as well as the BlackBerry 10.

“By 2018, more than 90 percent of Bluetooth-enabled smartphones are expected to be Smart Ready devices,” said Bluetooth SIG, which means it will support BLE.

iBeacons, which also transmit BLE packets in order to identify a location, are already used in Apple Stores to tailor notifications to visiting customers, while BA and Virgin use iBeacons with their boarding pass apps  to welcome passengers walking into the lounge with the Wi-Fi password.  

House of Fraser is also trialling iBeacons on mannequins to allow customers to look at the clothes and their prices on their phones.

The current model for iBeacons is that they should non-invasive; you have to already be running the application for it to detect and respond to a beacon.

The Context researchers have concerns: “It doesn’t take much imagination to think of a phone manufacturer providing handsets with an iBeacon application already installed, so your phone alerts you with sales notifications when you walk past certain shops,” said Lester.

The latest version of Bluetooth makes it possible for BLE to implement public key encryption and keep packet sizes down, while also supporting different authentication schemes, but it’s often overlooked by manufacturers.

“Many BLE devices simply can’t support authentication and many of the products we have looked at don’t implement encryption, as this would significantly reduce battery life and increase the complexity of the application, said Lester.

“It is clear that BLE is a powerful technology, which is increasingly being put to a wide range of uses.

“While the ability to detect and track devices may not present a serious risk in itself, it certainly has the potential to compromise privacy and could be part of a wider social engineering threat.

“It is also yet another demonstration of the lack of thought that goes into security when companies are in a rush to get new technology products to market.”

Last week, soldiers in China’s army were banned from wearing smartwatches and other wearable technology for fear the devices could transmit sensitive data. The findings showed that such concerns over cyber-security loopholes may be justified.

Martin Woolley, Technical Program Manager at Bluetooth SIG, said that what is often overlooked is that there is always a trade-off between absolute security and a reasonable level of security considering the data that is being transferred. 

“Companies are aware that they need to consider the full spectrum of available measures against their product’s security requirements, he said.

“For example the security needs of a smart bulb manufacturer would differ to those of a smart lock manufacturer. What is certain is that Bluetooth offers a wide range of security options, including government-grade encryption providing the means for very high levels of security. Manufacturers will continue to make decisions based on their customers’ needs and demands for a particular implementation.”

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles