Category: Security

We often get asked if it’s possible to track smartphones using Bluetooth. For example, a retailer might want to know how long someone stays in their store and whether they visit again.

While iOS devices advertise Bluetooth continuity messages it’s not possible to track iOS devices using their Bluetooth MAC address because the address changes over time in order to defeat such tracking. However, as previously mentioned, Bluetooth MAC randomisation can be defeated. Android devices don’t usually advertise but some do if Covid tracking is on.

There’s a new paper by researchers at UC San Diego on Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices (PDF). It looks into Bluetooth physical-layer patterns to track a variety of device types.

A tool has been created to automate discovery of imperfections in signal modulation.

These imperfections are caused by manufacturing variations in the transmitter hardware.

Some, but not all, devices have unique fingerprints and can be tracked.

LimitedResults have published details of how they have been able to access what were previously presumed to be protected Nordic Semiconductor nRF52 devices. nRF52 devices are regularly used in beacons and other Bluetooth devices such as fitness trackers. This post summarises the vulnerability, looks LimitedResults claims, Nordic Semiconductor’s response and how that affects those using such devices.

Nordic nRF52 System on a Chip (SoC) devices are small Arm® Cortex™-M4 CPU computers running software. The software is flashed into the devices and authors usually apply what’s called APPROTECT to prevent the software from being read back and the debug port from being used for examining data. The software read back lock is to prevent the software being copied onto non-sanctioned devices or for decompilation to obtain algorithms that might be considered intellectual property (IP). Examining data via the debug port allows access to passwords or data that might be considered to be confidential.

LimitedResults have cleverly managed to disrupt the running of the SoC by removing some circuit capacitors and producing a very short pulse on the power line. This allows bypassing of the APPROTECT, subsequent use of the debug port to control code execution, extraction of the code and ultimately disabling the APPROTECT mechanism. LimitedResults say:

Due to its low-complexity, this attack on the nRF52840 can be reproduced on the field easily

Nordic Semiconductor responded today with an Informational Notice that describes the problem and concludes:

The nRF52-series of SoCs, like many standard microcontroller circuits, are not hardened against fault injection techniques

This puts the onus on companies using the nRF52 to only use it for non-critical uses where a security breach has negligible consequences OR to only use it where it’s known that physical access, required to perform such security breaches, is unlikely or impossible to occur.

What does this mean for users? This affects nRF52-based product owners in that binary code can’t now be considered safe from copying or examination. While this sounds concerning, anyone wishing to take advantage of the vulnerability needs a very high level of skill. Despite LimitedResults saying it can be “reproduced on the field easily”, the ‘easily’ part is contentious. Producing a power spike isn’t easy. Analysing extracted binary code and data also requires a high level of skill. We can’t think of any uses of the nRF52 where it would be worth the effort.

When it comes to the end users, there could be uses, particularly in healthcare, where a vulnerability might be a concern. For example, Nordic devices have been used in heart rate monitors. However, the vulnerability requires removal of components from the circuit board and physically attaching wires to the inside of such devices. With today’s surface mount based PCB designs, it’s difficult to do this in the lab let alone on a user’s device.

As with all security issues, you have to put possible attacks into perspective. The vulnerabilities are difficult to exploit and not worth the effort in most cases. The security of the nRF52 is suitable for the kind of data collection tasks for which it tends to be used.

It’s in security-critical areas such as healthcare and finance that such vulnerabilities need to be taken more seriously. As with some microcontrollers used in finance, extra physical (impossible to get to the circuit) and/or software (self-destruct) protections need to be put in place.

There’s an article at The Parallax on how the Tesla Model 3 constantly sends out iBeacon advertising. This allows the Android/iOS app to see the car and consequently unlock and start the car without a key. Martin Herfurt, a security expert for Austria, claims this is a security and privacy vulnerability.

Tesla’s response has been:

“BLE tracking is something we’ve discussed internally, and we revisited this discussion after receiving your report. However, our current assessment is that randomizing BLE identifiers would not result in significant privacy gains due to the ubiquity of automated license plate readers”

What Tesla is saying is that there are other ways to track cars so they believe it’s not a issue.

The security researcher can detect cars up to 50m away and said…

“… the range can be easily extended with a directional antenna, possibly to reach up to a mile away”

We would like to know how to ‘easily’ get such a directional antenna as, to our knowledge, no such thing exists. 50m range advertising is just that and can’t be extended significantly by changing the receiver antenna.

However, the Tesla Model 3 being an iBeacon raises the question whether this is a significant privacy concern. Indeed, anything or anyone advertising Bluetooth can turn into a privacy concern. In the article, connected-car security researcher Tim Brom says it can be a concern if you’re a high-value target of any kind or worried about a stalker.

Even when id’s or randomized or cycled, as in the case of Eddystone EID, the mere presence of Bluetooth advertising can reveal the presence of something that needs to be concealed. For example, Wired recently wrote Burglars Really Do Use Bluetooth Scanners to Find Laptops and Phones.

The learning is that you shouldn’t blindly implement Bluetooth without considering the security implications and providing mitigations. In the case of Tesla, they could have had an option for security conscious users to turn off Bluetooth and instead use a key.

There’s a Bluetooth security vulnerability story doing the rounds that, according to the security researchers:

…affects basically all devices that “speak Bluetooth”

This isn’t true. The vulnerability relates to Bluetooth BR/EDR, so called ‘Classic Bluetooth’, and not Bluetooth LE. It isn’t found in beacons or other devices communicating via Bluetooth LE. It also isn’t found in Bluetooth mesh.

Read about Beacons and the Bluetooth Mesh

We occasionally get asked about the specifics of Bluetooth LE security. This is usually when a project has security requirements or needs to formally document things such as cryptography schemes and vulnerabilities.

The U.S. Department of Commerce National Institute of Standards and Technology (NIST) has an informative Guide to Bluetooth Security (pdf) that provides information on the security features of Bluetooth, vulnerabilities, threats and extensive recommendations.

The following table provides an overview of Bluetooth LE compared ‘Classic’ Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) protocol:

Bluetooth LE 4.2 and later uses ECDH P-256 Elliptic Curve public key cryptography for protection against passive eavesdropping and man in the middle (MITM) during pairing.

While it’s good for projects to be aware of the underlying mechanisms and their limitations, we find that, in practice, security threats and weaknesses tend to be related more to how Bluetooth LE is used (by software) on a particular project rather than Bluetooth implementation itself.