Your smartphone or laptop gives off unique Bluetooth radio signals that can be identified and used to track your device’s location, says a new research study. Just turning Bluetooth off can’t always prevent this — some devices, especially Apple ones, might need to be totally powered off.
When Bluetooth is turned on, all mainstream smartphones, laptops, and smartwatches do their best to try to keep you anonymous through randomizing network addresses and other means. But there’s enough variation in the physical radio signals sent out by each device to be able to uniquely “fingerprint” individual devices much of the time, says the University of California, San Diego study.
“These applications use cryptographic anonymity that limit an adversary’s ability to use these beacons to stalk a user,” the study says. “However, attackers can bypass these defenses by fingerprinting the unique physical-layer imperfections in the transmissions of specific devices.”
“Even when there are hundreds of devices we encountered in the field, it is still feasible to track a specific mobile device by its physical-layer fingerprint,” the study notes. It did caution that certain devices had similar fingerprints, which could lead to misidentification.
Some devices were easier to fingerprint than others. While iPhones tended to have similar-looking fingerprints, they were substantially “louder” than Android devices, sending out stronger Bluetooth signals and being detectable at greater distances.
Study leaders Hadi Givehchian and Nishant Bhaskar told The Register that the equipment needed to track these devices would cost about $200. They found that picking out individual devices using Bluetooth signals in public places was not that efficient — they were able to identify devices only between 40% and 50% of the time.
However, once a device’s Bluetooth signal profile was known, the researchers said, they were able to follow the device around town with an accuracy rate of 96%.
The study, entitled “Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices,” will be formally presented at the IEEE Symposium on Security and Privacy in May 2022.
Nonetheless, there are limits to this method, the study…