Researchers at Context Information Security have demonstrated that it is very easy to monitor IoT devices that implement the Bluetooth Low Energy protocol.

Internet of Things are enlarging our surface of attack, it’s not a mystery, track us is becoming even more easy as demonstrated by a group of researchers at Context Information Security. The team has demonstrated how easy it is to monitor and record Bluetooth Low Energy signals transmitted by IoT devices, including mobile phones, wearable devices, and iBeacons. The protocol Bluetooth Low Energy (BLE) was released in 2010 and it is designed to implement a new generation of services for mobile applications. The protocol specifically addresses power consumption of new applications, trying to reduce the battery draining in a condition of constantly transmitting signals.

The Bluetooth Low Energy BLE is implemented by principal mobile OS, including iOS 5 and later, Windows Phone 8.1, Windows 8, Android 4.3 and later, and BlackBerry 10. iBeacons transmit BLE packets in order to identify the mobile location, many companies and organisations are already using or experimenting with iBeacons, for example Major League Baseball, Apple themselves, House of Fraser, Regent Street (the BBC have a video) and Waitrose. Among the devices analyzed, there are the popular iPhone and a number of the leading fitness trackers.

Among the devices analyzed there are the popular iPhone and a number of the leading fitness trackers.

The experts have also developed a proof of concept Android app, dubbed RaMBLE, for scanning, logging and mapping Bluetooth Low Energy devices such as iBeacons and fitness trackers.

t2

The concerns for security and privacy issues related to IoT devices have been widely discussed, recently People’s Liberation Army banned the use of wearable devices due to the possible presence of security bugs that could expose military secrets. The Chinese PLA issued a warning after a new recruit received a smartwatch as a gift from his girlfriend and tried to use the device to take a photo of his fellow soldiers.

“The moment a soldier puts on a device that can record high-definition audio and video, take photos, and process and transmit data, it’s very possible for him or her to be tracked or to reveal military secrets,” warned the report. “The use of wearables with Internet access, location information, and voice-calling functions should be considered a violation of national security regulations when used by military personnel,” reported the nbcnews.com.

Researchers at Context explained that fitness trackers and wearable devices broadcast data constantly and this information could be used to track people.

“These devices, in their normal operation, broadcast constantly. The range is supposed to be around 100m in an open area, but as mentioned in the above previous research (albeit for regular Bluetooth), and from what we’ve seen in surveying for devices, devices can be detected at a greater range due to anomalies affecting RF propagation such as ducting. As mentioned about, the random MAC addresses are still largely fixed.” states the blog post published by the company.

“Scanning for these broadcasts is easy either with cheap hardware or with a smartphone. This allows us to identify and locate particular devices, which for devices such as fitness trackers that are designed to be worn all the time, means that we can identify and locate a person, to within a limited range. There are clear implications to privacy, just as there are ways that this technology could be exploited for social engineering and crime.”

The experts explained that that despite the current version 4.2 of the Bluetooth Core Specification supports different authentication schemes, many devices they analyzed don’t implement them in order to increase battery life.

“Many BLE devices simply can’t support authentication and many of the products we have looked at don’t implement encryption, as this would significantly reduce battery life and increase the complexity of the application,” explained Lester.

“It is clear that Bluetooth Low Energy is a powerful technology, which is increasingly being put to a wide range of uses,” concludes Context’s Lester. “While the ability to detect and track devices may not present a serious risk in itself, it certainly has the potential to compromise privacy and could be part of a wider social engineering threat. It is also yet another demonstration of the lack of thought that goes into security when companies are in a rush to get new technology products to market.”

The Bluetooth Special Interest Group (SIG) predicted a rapid growth in the number of mobile devices that implement the Bluetooth Low Energy, by 2018, more than 90 percent of Bluetooth enabled mobile devices are expected to support BLE.

“It doesn’t take much imagination to think of a phone manufacturer providing handsets with an iBeacon application already installed, so your phone alerts you with sales notifications when you walk past certain shops,” concludes Lester.

Pierluigi Paganini