Tracking People via Bluetooth on Their Phones

We’ve always known that phones—and the people carrying them—can be uniquely identified from their Bluetooth signatures, and that we need security techniques to prevent that. This new research shows that that’s not enough.

Computer scientists at the University of California San Diego proved in a study published May 24 that minute imperfections in phones caused during manufacturing create a unique Bluetooth beacon, one that establishes a digital signature or fingerprint distinct from any other device. Though phones’ Bluetooth uses cryptographic technology that limits trackability, using a radio receiver, these distortions in the Bluetooth signal can be discerned to track individual devices.

[…]

The study’s scientists conducted tests to show whether multiple phones being in one place could disrupt their ability to track individual signals. Results in an initial experiment showed they managed to discern individual signals for 40% of 162 devices in public. Another, scaled-up experiment showed they could discern 47% of 647 devices in a public hallway across two days.

The tracking range depends on device and the environment, and it could be several hundred feet, but in a crowded location it might only be 10 or so feet. Scientists were able to follow a volunteer’s signal as they went to and from their house. Certain environmental factors can disrupt a Bluetooth signal, including changes in environment temperature, and some devices send signals with more power and range than others.

One might say “well, I’ll just keep Bluetooth turned off when not in use,” but the researchers said they found that some devices, especially iPhones, don’t actually turn off Bluetooth unless a user goes directly into settings to turn off the signal. Most people might not even realize their Bluetooth is being constantly emitted by many smart devices.

Tags: , , , , ,

Posted on June 17, 2022 at 6:06 AM25 Comments

Comments

Ted June 17, 2022 8:59 AM

Luckily, physical layer fingerprinting for Bluetooth isn’t exceptionally trackable. Many factors – including similarities in chipsets, differences in signal transmission power, and variations in temperature – add challenges to precision identification.

MAC randomization every 15 minutes is of course a help in anonymizing a Bluetooth device.

I didn’t realize how ‘talkative’ Bluetooth was though. The researchers measured how many Bluetooth adverts were sent out of different devices per minute. For the iPhone 10 it was 872 adverts per minute. For the Apple Watch 4 it was 598.

TimH June 17, 2022 9:33 AM

researchers said they found that some devices, especially iPhones, don’t actually turn off Bluetooth unless a user goes directly into settings to turn off the signal. Most people might not even realize their Bluetooth is being constantly emitted by many smart devices.

There’s nothing in the actual paper “Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices” on this. Just the gizmodo blurb.

Clive Robinson June 17, 2022 9:35 AM

@ Bruce, ALL,

This is not “news”…

The same or very similar issues occures “WITH ALL” systems that transmit data.

As I’ve pointed out in the past, whilst you may not be able to decrypt the signals from passports and bank cards, you can “tell which chips and step” are being used.

So you could make a “device” that activates whenever someone holding a US Passport and particular credit card walks through a doorway or similar. It’s not that difficult. The more RF devices the more unique it becomes to individuals.

As I said “not new” but “not yet used” in a way that has become public.

When it does it could be explosive, and have a real backlash effect, which would have almost the same effect on society as the costs from 9/11.

Wayne June 17, 2022 10:24 AM

As has been said, this was known ages ago. I had no problem keeping BT turned off on my devices. Except now I’m a hearing aid wearer, and it’s bloody important for me to keep my hearing aids paired to my iPhone to have a decent conversation! (ignoring how Apple and my hearing aid maker are seeming to conspire to screw that up)

So now my BT is on all the time and I’m resigned to that being a new reality for me. I even went to the extent of forwarding my work phone to my mobile as our office phones are horrible for not having enough volume.

William June 17, 2022 10:37 AM

@Wayne quite a difficult situation. I’ve never trusted bluetooth and wonder how this sort of implementation fits into regulations and guidelines such as hitrust and hipaa.

Clive Robinson June 17, 2022 12:42 PM

@ Wayne,

Except now I’m a hearing aid wearer, and it’s bloody important for me to keep my hearing aids paired to my iPhone to have a decent conversation!

You have my sympathy…

I have here beside me a “Digital Hearing Amplifier” in a box that claims to offer “Better Sound Better Life” and for me atleast it offers neither.

My hearing loss, via way of tinnitus, is I’m told probably due to my days wearing the green and being in the regimental shooting team…

Suffice it to say with significant differences in both ears, conversations on an ordinary phone is even when I know who I’m talking to mostly not possible and all too frequently embarrassing when I think I hear a different word to the one said.

And I’m not just talking the likes of “trumpet, crumpet, strumpet, lump it, sump pit, some pet, Lovett” etc. Some words that never sounded the same, like “trist and crisp”…

To say “frustrating” is not the half of it, especially when I give talks and have to take questions…

John June 17, 2022 1:14 PM

hmm….

Hearing and eye problems are often just mineral deficiency.

Oysters, sea food, Redmond,UT clay are a good beginning.

See especially “We eat clay” about Redmond, UT clay.

I keep a glass on the table as described in that book and sip at it.

John

lurker June 17, 2022 1:50 PM

“Every form of communication today is wireless, and at risk” [eurekalert.org]

Welcome to our world.

Clive Robinson June 17, 2022 4:06 PM

@ lurker, ALL,

Re: Welcome to our world.

Yes, and it’s not going to get any better, only worse, because,

“We don’t learn.”

As a general notion every one thinks the world is “Digital” thus they assume incorrectly that because everything is apparently copyable perfectly it must be indistinguishable in all things “Digital”.

Well that is very far from the truth, though the authors of the paper appear to buy into it, which is actually quite sad…

They call these diferences defects and the like where as the reality is that underneath the “Digital Myth” you find “The world is analogue” and those supposed “defects” are nothing more than “manufacturing spread”.

In the “mechanical engineering world” they have a word for required imprecision to get things to work with out “bind” they call it “slop” it is necessary to stop things like temprature causing things to grind to a halt. It’s the reason all mechanical locks will always be pickable, no matter what “marketing” nonsense says.

As many real analogue communications engineers know, things have got to the point where Einstein’s “Special Relativity” and “time cones” have to be “designed for” in ordanary consumer and comercial decices. Take a moment to think on that and where it might take you.

Sometimes it works the other way… You might have heard of a security device called a “Physically Unclonable Function” well these come about because of the requirment for “slop” in electronics device physics.

But as long as we can measure beyond what we need for our communications systems to work, then our communications devices we will be “tracable” (Just one Special Relativity side effect).

Suprisingly to most the ability to do this goes back before “electronics” to “Electro-Mechanical” communications way more than a century ago… When what would later be called “Teletypes” came into fashion as “Telex machines” rather more than a century or more ago. For most people the dialable “Telex Network” that started in the 1930’s is unknown to them, though from black and white movies prior to WWII they are aware of the much much earlier “ticker-tap” machines that used to be used to send “Stock Price” information on point-to-point systems using “relays” developed in the later half of the 1800’s.

The so called “Serial Communications” has always been subject to “oddities” from the “manufacturing spread” mostly it was only of concern to engineers and technicians.

However the “pull-in” and “release” time differences on electromechanical relays were known over a century ago to be a way to “strip off” super-encryption by “One Time Tape” systems that should have in theory given perfect security (Something the NSA went on to exploite with NIST and the AES competition, and why you should never use AES in “on-line” mode).

The Canadian “Pat” Bayly spent considerable time and effort in developing the “British Inter-Departmental”(BID) OTT Crypto machine “Rockex” from these early attacks before the terms TEMPEST or EmSec were thought up.

http://www.campx.ca/patbayly.html

I’ve known about this for over fourty years and have mentioned it from time to time on this blog.

As I said “nothing new” even the fact that in the ICT Industry in general and in the ICTsec industry specifically,

“We do not learn from our history.”

Why this should be I do not know, but I can guarentee that within a decade there will be yet another “Shock Horror” “everything is tracable” story…

Here’s me mentioning it on this blog as “nothing new” back in September 2005,

https://www.schneier.com/blog/archives/2005/09/snooping_on_tex.html/#comment-13377

And that is not the first time, but people appeared genuinely surprised to know this even though they had worked with the equipment,

http://jproc.ca/crypto/rockex.html

Sometimes secrets can be kept, when they realy should not be…

Speaking of which I would recomend the first half of Peter Wright’s “Spy Catcher” to people, it was written in the early 1980’s and tells you a very great deal about what is still “current Attack / Surveillance” methods. I did not get to know Peter Wright but his MI5 “assistant” Tony Sale I did get to know and we swapped some fun stories about things now past. I don’t know how many other people know them but I know it realy surprises modern “Security Experts / Gurus” when I mention them… Both Ross J. Anderson and Mat Blaze, got “surprised” and there are others less well known.

I just wish they would spread them on with more “vigor” because not knowing these things is realy not just “hurting people” it’s “Getting them killed” as those in Iran and China found out with the fairly usless CIA system in more recent times.

lurker June 17, 2022 5:04 PM

@Clive

This BT “attack” recalls in a previous life we were warned that anyone we saw on a tractor wearing headphones was probably Russian, collecting radiation from our telegraph relays. Nowadays everybody on tractors wears headphones for muzak or OSH noise reduction, and radiation from relays has been forgotten. But always on BT, the desire for instant gratification, the laziness to not turn stuff off when it’s not being used, mean the guys with headphones now come from Madison Ave and Langley Park.

SpaceLifeForm June 18, 2022 2:37 AM

@ Clive, lurker

As I said “nothing new” even the fact that in the ICT Industry in general and in the ICTsec industry specifically,

“We do not learn from our history.”

See https://www.schneier.com/blog/archives/2022/06/long-story-on-the-accused-cia-vault-7-leaker.html/#comment-406330

Because, it you figure out the two “not air-gapped” channels, you may guess that they were using x.25 over the link. Before Kermit.

In my experience, x.25 just works. May be slow, but pretty reliable.

Then again, I may have no idea what I am talking about.

Marian June 20, 2022 3:36 AM

As far as learning or not learning from history goes:

In the days of messages transmitted by humans over radio people listening in could discern individual operators by their “hand”, the unique style in dah-ditting out morse code.

Even if the cryptography used was sound and yet unbroken useful intelligence was gathered from tracking people.

I believe it will only get easier to track us and we should work on social ways to make use of that data bitter to the people and organisations gathering it.

Regards, Marian

Clive Robinson June 20, 2022 4:38 AM

@ Marian,

we should work on social ways to make use of that data bitter to the people and organisations gathering it.

History shows, that some will turn swallowing the most bitter of pills into a virtue.

Some realy do “Wear their hair shirts on the inside” because it makes them feel some how superior thus more worthy than others…

With such people the more you do to stop their stupidity, the more it encourages them.

It’s why some talk not of “bitter pills” but “poison pill” solutions… But as has been seen with Musk -v- Twitter board, you have to be careful when you make one, lest the person you are trying to stop rams it down your own throat.

As some have pointed out… Unlike others Musk now gets firehose access without an NDA, can still potentially walk away, so what will be his next trick? Re-negotiate the price down 20% or more…

JonKnowsNothing June 20, 2022 8:01 AM

@ Clive, @ Marian

re: Musk v Twitter: Re-negotiate the price down 20% or more…

I have not read or seen the entire contract between M.Musk and Twitter but afaik there is no reason at all that Twitter has to accept a 20% decrease in selling price or any other decrease in price.

Per what’s been written about the contract, M.Musk is obligated to pay the rate as set in the contract. Breech of contract would find M.Musk obligated to pay the $1,000,000,000 ($1B) in forfeit.

There might be, and probably will be, a proxy fight over the control of the company at the Annual Board Meeting (whenever that’s scheduled).

The proxy fight will line up the following opponents into ProMusk and ContraMusk camps.

  • The ContraMusk group will be the current shareholders holding major stakes in the company and will see any negotiation of lower price as a serious impact on their financial holdings. Additionally, they will be pushing the SEC about disparaging remarks that continue to flow out of M.Musk’s mouth with negative impacts on the stock price. (They wouldn’t care if the price was going up).
  • The ProMusk group will show up as having recently acquired their stock after M.Musk made the disparaging remarks about the company he is attempting to buy. Once they have registered their full stock holdings and there is enough basis for questions of illegal stock price manipulation, the SEC may have something to say about that and possible civil/criminal impediments going forward. For those who have long-term holdings in the ProMusk group they will be expecting “something in return” for their support.

In the backrooms, there will be some serious wheeling-and-dealing with the major financial backers and opponents. Per what has been written, M.Musk has no where near the amount of funding needed to close the deal and he many not have the funding to walk away from the $1B forfeit either.

M.Musk may complain about many things but what is in the contract is what will prevail in court. Per what was written, M.Musk unwisely signed a No Due Diligent Clause in the contract. Like buying a house with “rising damp”, he’s stuck.

Among other examples of hostile corporate dealings, HP is a good historical starting point. There are summaries in WikiP but if people want to get a bit more into the nitty gritty of what was going on, historical archives of reporting would give them a flavor of what proxy wars entail. There have been +3 major ones at HP in the last ~30yrs and much of it swept under the rug later on. Once a bad deal happens it gets buried quickly. Deutsche Bank and HP is a good starter. (1)

====

1) Compaq and HP Merger Proxy War

Compaq was acquired for US$25 billion by HP in 2002.

The merger was approved by HP shareholders only after the narrowest of margins, and allegations of vote buying (primarily involving an alleged last-second back-room deal with Deutsche Bank) haunted the new company.

It was subsequently disclosed that HP had retained Deutsche Bank’s investment banking division in January 2002 to assist in the merger. HP had agreed to pay Deutsche Bank $1 million guaranteed, and another $1 million contingent upon approval of the merger. On August 19, 2003, the U.S. SEC charged Deutsche Bank with failing to disclose a material conflict of interest in its voting of client proxies for the merger and imposed a civil penalty of $750,000. Deutsche Bank consented without admitting or denying the findings.

note: iirc(badly) At the time, Deutsche Bank was aligned with the No Compaq group and held substantial shares in the company. Prior to the final vote, a backroom last minute deal was made by Carly Fiorina: Deutsche Bank was offered serious money and financial incentives to switch votes.

Clive Robinson June 20, 2022 10:00 AM

@ JonKnowsNothing, Marion,

Breech of contract would find M.Musk obligated to pay the $1,000,000,000 ($1B) in forfeit.

Not quite true, if Elon Musk fails to procead without good reason, does he have to pay it.

So if the Twitter Board withdraw, or do not procead “with good faith” then Elon Musk keeps his billion and may have cause to seek damages.

Twitters SEC filings about the levels of real and fake content, are quote a way out of alignment with orher Social Media, so to put it politely are “highly suspect unless proven otherwise”.

The supposed “Smart Money” says the Twitter board have probably been “cooking the books” on this. Which means they are now caught between the Devil (SEC) and the Deep Blue Sea (Musk).

Put bluntly if the Twitter board has been misleading the SEC and Shareholders, then there may be both Criminal and Civil penalties to be paid that would effectively wipe a very very large amount off of their share price which could drop into the $20/share range or less before fines and compensation.

The question then arises as to what Elon Musk would do if he does discover the Twitter Board has been cooking the books… Outside of certain “crimes” he can chose to ignore it “officially” and just re-negotiate at a lower cost. He could report whay he finds to the SEC and let them decide, or he could go public in some way and having effrctively “killed Twitter” walk away, and pick it up from the “liquidators” at way less than the usual 5cents on the Dollar “fire sale prices, say a couple of billion give or take rather than the 43billion.

If the Twitter Board had not tried to grossly over value the share price and “poison pill” Musk out, then Elon’s choices would be less.

At the moment Elon has the Twitter board tongue in one hand and a poison pill in the other he could just shove down their throat. Any action by Twitter to get the 1billion almost certainly would result in an open court case with all sorts of stuff coming out into public, most of it bad for Twitter, such is the nature of such court cases…

So it will be interesting to see where Elon decides to push things. He has choices which the Twitter Board realy does not…

As for what happens to Twitter, well they appear to have had their time in the Sun, and they did not grow well, nor do they appear to be able to jump to the next level… Their day may well be drawing to a close.

JonKnowsNothing June 20, 2022 3:18 PM

@Clive

re: Elon Musk fails to proceed without good reason

IANAL

Failure to proceed with a signed contact in the USA does not require any “reason” to be given. You just fail to complete the terms of the contract as specified.

Most often there will be a “date or dates” by which certain items must be completed or the contract fails. afaik from MSM, M.Musk can raise questions about the company to the SEC or the SEC may already have interest in the company but this is not likely to be part of the contract limitations or exclusions.

There is likely an exit clause about fraud within the legal context of the “fraud” in the USA. There may be 2 legal paths: civil and criminal for lawsuits and the outcome depends on whether the challenging party can “prove it” by USA laws, that there was something odd.

  • Deutsche Bank forked over $750K to the SEC to skip those parts and HP got to keep Compaq.

If there is something deeper a la Enron then there will be fingers pointed everywhere and the Feds will be using a fine tooth comb on everyone involved. M.Musk might not enjoy the sunshine in that playground anymore than the Twitter Board will.

While corporate contracts are more detailed than those in personal finance, much remains the same (USA).

1, An agreed exchange
2, Consideration given (peppercorn or “Earnest money” aka deposit)
3, Escrow and exchange of funds
4, Title and ownership transfer

From MSM reports they have completed 1 and 2. The wrangle is in 3 Escrow and Exchange of Funds. If there is a time limit for both the buyer and seller to complete escrow and those deadlines are exceeded, the contract fails. Terms of who pays what on contract failures is pretty well determined by USA business law. Unless Musk can find issues that will trigger a Mutual Agreed Withdrawal, he is stuck.

In many consumer contracts, if you fail to complete escrow (1) you may lose some or all of your deposit (earnest money). Sometimes this amount is divided into 2 portions. An initial deposit or hold on the item, later followed up by larger deposit and in escrow the full down payment and funding takes place. A good part of the time the earnest money is forfeited ($1B) and both parties withdraw.

From MSM reports, M.Musk is attempting to run the media into reporting that Twitter is not performing on their end of the contract. Exactly what Twitter is required to provide varies by report but initial reports of the deal, indicated that M.Musk was buying it Lock Stock and Barrel, Sight Unseen, Pig In A Poke and that he claimed he could complete the deal as a hostile takeover (proxy war).

So far, the only ones who will make oodles on the deal are the lawyers for both sides because this will take a long time in court to sort out if either party balks at the reported terms. The failure to complete a contract won’t be an issue (in USA Law) only the penalties to be assessed might be challenged.

===

1) Often times, consumer contracts will be voluntarily extended by the seller. An example is raising a down payment for a home. The buyer may have full funding from a lending institution contingent on the buyer fully funding the down payment (5%-20%-30%…). Sometimes the buyer needs more time to raise the balance of the down payment and seller will extend the contract. However, after n-period the seller can refuse to extend the contract any further and the forfeit clause kicks in about the return of the deposit.

SpaceLifeForm June 20, 2022 5:12 PM

Cold Feet

The best option for all concerned may be to completely drop the deal and forgive the $1B penalty.

Twitter: Go away Elon. In exchange you can keep the $1B

Elon: Cool because I don’t have the scratch anyway

Twitter: We don’t want SEC looking too closely

Elon: Me neither

SEC: Damn it guys, this was getting interesting

This scenario makes the most sense for everyone except the lawyers eyeing the billable hours.

JonKnowsNothing June 20, 2022 8:19 PM

@ SpaceLifeForm

re: Cold Feet

I do not know why anyone who would walk away from $1B laying on the table.

Personally I’d happily take 1/10th of that amount but M.Musk hasn’t offered me any of his funds.

It could be because I have zero input into any decisions that M.Musk and Twitter might make, but 1/10th would still come in mighty handy since I’m now a Food Pantry Regular. (1)

Both sides could voluntarily withdraw from the contract but there would need to be some impediment against M.Musk pulling the same shenanigans again. MSM reporting on the lack of compliance by M.Musk on any number of restrictions, I’d not want to put too much credence into anything M.Musk agreed to.

Items to negotiate

  • Stock buys and sells
  • Price manipulation
  • Price depression
  • Reputation Harms (management)
  • Business Environment Harms
  • Cost of Litigation (potential future)
  • Cost of Legal Expenses (current advice, legal filings)
  • Redirected costs of salaries and personnel assigned to Buyout Tasks.
  • Goodwill Value Recovery (financial changes affecting finance & banking)

===

1) Food Pantry Regular and Pet Food Pantry Regular.

Clive Robinson June 20, 2022 10:34 PM

@ JonKnowsNothing, SpaceLifeForm,

Re : Cold Feet

Remember the story of that wooden horse from getting on for three thousand years ago, and that expression “Beware of Greeks bearing Gifts”?

Well when it comes to,

I do not know why anyone who would walk away from $1B laying on the table.

I do, when it is effectively a “Booby Trap”[1] that is picking it up will cost you more in some way than leaving it there, same as that mythical Trojan Horse should have been left where it was.

Or if you prefer when it’s possibly been turned into a “poison pill” of it’s own…

Usually in a “Takeover deal” due dilligence is required, that is the seller has to “open ALL the books” to the buyer. This is generally a dangerous thing to do for the seller, because if the deal falls through then the potential buyer has information that they can go to a third party with, or use against the sellers continuing performance.

Whilst their might be a “no due dilligance” in the contract, the seller can not use it to hide illegal, unlawful or questionable behaviour / conduct on their behalf. Likewise the potential buyer on finding such behaviour if they do not report it becomes complicit, thus liable on one of those “conspiracy charges” Federal Authorities almost always add at the bottom of the charge sheet as a “catch all”. Much like the “lying to Federal Officers” because as charges they are very very difficult to defend as proving a negative is difficult even using bivalent logic.

So as @SpaceLifeForm observers,

The best option for all concerned may be to completely drop the deal and forgive the $1B penalty.

But that is also dangerous on the old,

“No smoke without fire principle.”

This dance has been very raunchy and public… If they don’t jump into bed, then people are going to ask why?… In the absence of a believable excuse people are either going to make something up, dig something up, or both. The questionable way silicon valley Corps are run in general gives plenty of soft mud to grab and fling, and it will stick like the proverbial to the blanket, thus give of a stink for years to come.

So they might have to atleast “hold hands” for a while to protect each others reputations whilst they find something they can both live with without too much embarrassment / loss of face / reputation.

So we are kind of like in that “Waiting on the blood tests” phase or “fertility tests” with race horses and bulls.

But I still maintain my point, that if I had been daft enough to own Twitter Shares I would have unloaded them long before they dropped to $40. I’d rather go for a small loss, rather than wait around for the “maybe baby day” of the take over, that is getting less likely day by day.

That is if you look at the Twitter share price figures and filter off the noise and remove the “Musk Hump” Twitter shares have had a downwards trajectory for the past year and have gone from a high of just under $80 to significantly below $40… The smoothed curve is still in what appears the initial “straightline drop” of exponential decay… Probably safe to say that Twitter was not a Corp on the “fast track to success”, more like the morgue via the ITU.

What ever it is the Twitter Board has been doing, the market does not think very much of it. Hence the underlying “trajectory of doom” of the Twitter share price.

A state of affairs that many might see as “confirmation” the Twitter Board have probably been “fiddling the figures” in their SEC filings etc.

I’ve “no skin in the game” with either side, and I must admit, it’s begining to feel like watching a worm that tried to cross the concrete patio in a rain show that turned to baking sun when the worm got half way across…

[1] The stories behind the “Booby Trap” are many, one credible one is based around Sailors and an albatross sized bird called a “Booby” (Spanish for foolish/stupid – to do with it’s mating ritual of displaying feet to the femail by lifting them up and wavibg them). Apparantly all that was required to catch them was “food on the deck” and a simple “slip noose” plainly visable, and a simple spring and release trigger mechanism that the bird would activate on moving the food. Apparently it was not untill the first world war that it gained it’s modern military meaning, that became entrenched with “asymetrical warfare tactics” of WWII and later conflicts.

SpaceLifeForm June 21, 2022 3:54 AM

@ JonKnowsNothing, Clive

Re: Cold Feet

I do not know why anyone who would walk away from $1B laying on the table.

Well, it’s a cheap card table, no chairs included, and the $1B is Dogecoin.

Beware of Geeks bearing Grifts

I have saved many worms over the years. The ‘out’ here is to do a stock swap, with some marketing bs to make it look plausible to the public.

Clive Robinson June 21, 2022 7:23 AM

@ SpaceLifeForm, JonKnowsNothing,

Re : Cold Feet

As you note,

The ‘out’ here is to do a stock swap, with some marketing bs to make it look plausible to the public.

It is one of several ways, but there is still the “Bride left at the alter” problem. M.Musk can pretend to be the rejected swain riding off into the sunset, that is the easiest part to accomplish.

However Miss Twitter would be an unwed bride and history indicates no matter how virtuous there will be stains on not just the bridal trousseau, and thus attracting a new suiter doubtfull.

As I’ve indicated Miss Twitter appears to be not just a fading bloom but well over the hill and defending into the twilight of neather years.

It will be for others to finish the melodrama, but there will have to be a bill to be payed, and I’ve a fealing that M.Musk will not be opening his coin-purse…

JonKnowsNothing June 21, 2022 8:44 AM

@All

An interesting MSM report about a surveillance scheme using features of a fitness tracking app. There have been other versions of this but this variation uses a built-in feature of the app and exposes what is supposed to be “secret” to “open sesame”.

The fitness app has a User Defined Fitness Path called a “segment”. Segments can be uploaded and made public for others to try out. The ego booster challenge of “I can run up this hill in 2m can you do better?”. The segments can be made open to the public and a challenger can copy the segment into their private space. Except like many complaints of “where is THAT setting?” if the challenger does not tick a lot of extra boxes to make private specific segments, the data can leak.

To use this aspect to track people and their movements, the segment details GPS locations and pathways but the Title doesn’t have to be related to the GPS coordinate and the GPS path doesn’t have to be anywhere near the proposed location. There is no validation of where the GPS location physically is eg no ring fence.

Evidently some “clever folks of unknown purpose” set up some segments inside military bases and suspected places of interest, and were then able to track the challengers as they moved from Secret Base to Secret Base to Nuclear Base to Foreign Base…

It’s a targeted heat map.

===

ht tps://www.thegua rdian.com/world/2022/jun/21/strava-users-spy-israeli-military-fake-routes-in-bases

(url lightly fractured)

Clive Robinson February 24, 2023 2:16 AM

@ James Harris,

Re : What is received.

“Are the MAC addresses the only information that’s received by the beacons via BLT?”

As indicated a whole load of “side channel” information in the analogue domain gets transmitted by your device. Much of it in combination not just uniquely identifies the transmitting device, but also it’s current internal state.

Thus what gets received depends on the receiver electronics and the software it feeds into (see “Software Defined Radio”(SDR) like GNUradio).

These days few understand “analogue” thus assume incorrectly that “Digital Security” like encryption is sufficient.

As I note above even the most secure of encryption systems based on the “One Time Pad”(OTP), when added automatically as a “One Time Tape”(OTT) can be stripped off in the analogue domain by as little as watching the display on an oscilloscope or similar connected at the OTT output or down stream of it.

The same issue applies to the NIST “Advanced Encryption Standard”(AES) winner, and the way the competition was set up by NIST on the advice of the NSA… It led to very nearly all the AES implementations to have significant time and power based side channels rendering them very easily broken “out on the network” where the NSA mostly play.

The fact that there are still AES implementations out there that have these side channel issues should give you an indication as to why the ICT and especially the ICTsec industries should not ignore the analogue domain as they currently do.

Davis September 29, 2023 4:34 PM

My issue with the whole thing is that Apple, Samsung and likely others are collecting each and every BT ID they see, and transmitting the location and time it was seen to their servers.
If my wife is jogging down the canal, and her earbuds pass by one of those devices, that’s recorded.

And people say, “well, it’s secured and Apple is trustworthy”. As true as that may be, what happens when the data is leaked? @BAM# people instantly know what Bluetooth equipment I have, including my car, and also a tidy little schedule of when and where I am at any given date.

What’s worse, you cannot opt out of transmitting those signals if you own an Apple or Samsung device. It’s just on. period. And you certainly cannot opt out of your devices being tracked.

I find this to be a shortcoming of Bluetooth. A MAC ID should not be transmitted in the clear at all. They should send a generic signal when they’re trying to connect, that on;y receives a MAC after both sides have confirmed the relationship. There’s no other way.

Class Action, boys!

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.