Smartphones Tracked Through Bluetooth Signals

Secure your business with CyberHoot Today!!!

Sign Up Now

A group of engineers at the University of California San Diego has shown for the first time that the Bluetooth signals emitted by our smartphones have a unique fingerprint that can be used to track an individual’s movements. The research suggests that minor manufacturing imperfections in hardware are unique to each device, and cause measurable distortions which can be used as a “fingerprint to track a specific device”.

If you’ve ever watched Mr. Robot, you would have seen this in Season 4, where someone’s exact location in Grand Central Station was tracked through a Bluetooth-enabled security access card. It appears that this is actually possible (not just in a fictional TV show). Researchers had a discussion in 2019, and theorized it might be possible to track a user’s location with the right tools. Now, that theory has been confirmed by University of California San Diego engineers. 

How Does It Work?

To perform a fingerprinting attack, the hacker must be equipped with a ‘Software Defined Radio sniffer‘, a radio receiver capable of recording raw IQ radio signals. Devices such as smartwatches, fitness trackers, and smartphones transmit a signal called Bluetooth beacons with an average rate of 500 beacons per minute. These constantly transmitting signals enable functionality such as ‘lost device tracking’ and location-based applications such as geofencing. 

Researchers found that in these beacons emitted by Bluetooth-enabled devices, they show details including a device’s MAC Address, which every network-connected device has as its identifying feature. Hackers with the ‘Sniffers’ to track these beacons can gather someone’s MAC Address and track them indefinitely, as long as they’re within range of a targeting radio-based software sniffer.

Additional work may be necessary by a hacker to weed out a target’s MAC address captured in a populated area where dozens to hundreds of MAC address signals may be competing, to an individual person of interest.

What Does This Mean For Me or My Company?

This means that everyone should be turning off their Bluetooth and Wi-Fi whenever they are not using them. Having your device put out hundreds of Bluetooth beacons every minute, or having your device automatically connect to unprotected Wi-Fi can put you and your company at risk.

It’s best to turn off these settings when they’re not in use. On an iPhone, you can do this in the ‘pull down’ menu from the top-right corner of your screen. Here you can turn on airplane mode, adjust brightness, or just ‘turn off’ Bluetooth and/or Wi-Fi. Clicking off Bluetooth or Wi-Fi from this area of your phone only disables these features for a period of time, not indefinitely. Within 8 hours to a day, they may enable themselves once again.

For iPhone Users

• Go to Settings > Bluetooth, and toggle Bluetooth off.
• Go to Settings > Wi-Fi, and toggle Wi-Fi off.

For Android Users

• Go to Settings > Connected Devices > Connection Preferences > Bluetooth > Toggle Bluetooth off.
• Go to Settings > Click Network & internet > Tap the toggle switch beside Wi-Fi to turn it off.

In addition to these recommendations, CyberHoot recommends the following minimum essential actions to protect yourself and your company from breaches or exploitation. 

CyberHoot’s Minimum Essential Cybersecurity Recommendations

The following recommendations will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.

1. Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
2. Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
3. Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
4. Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, and deploy DNS protection, antivirus, and anti-malware on all your endpoints.
5. In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections) or prohibiting their use entirely.
6. If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
7. Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.

Each of these recommendations, except cyber-insurance, is built into CyberHoot’s product and virtual Chief Information Security Officer services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.

Sources:

Threatpost

UCSD Research

Additional Readings:

A Roundtable of Hackers Dissects ‘Mr. Robot’

Apple Airtag Attack

Bettercap WiFi and Bluetooth Sniffer Tool Overview: