Since the adoption of the Bluetooth specification 4 in 2010, the Bluetooth Low Energy (BTLE) subset has become practically universal in all electronic devices from smartphones to medical devices. The major advantage over previous Bluetooth specifications and other communication protocols is that communicating over BTLE requires practically no energy and certain devices can be powered by cell batteries for multiple years. This has made BTLE particulary popular in the world of the Internet of Things, and one of the principal reasons for its introduction was to enable convenient communication with a wider than traditional range of electronic devices such as head phones, heart rate monitors, and smart home devices such as the oft-cited refrigerator.

The Network

In the BTLE network, there are two principal roles of communication, the Central and the Peripheral role (there are two more, but we’ll ignore them for now). The Central role is commonly filled by devices with larger batteries and more processing power (ex. smartphones), while the Peripheral role pertains to sensors, audio devices, location or time providers. Peripherals usually have a very limited set of functionalities and cannot establish connections on their own.

Peripherals are set up such that they periodically send out very short messages, so-called advertisements. These advertisements are sent usually every 120 ms and contain at most 31 bytes of data. Advertisements will tell other devices about how to reach the Peripheral, what its name is, and what services it provides, among other things. A typical advertisement will look as follows:

<Connectability indicator><Address type><Bluetooth address>[<Advertisement type><Advertisement data>, . . . ]

Each advertisement contains one or more data blocks. These blocks contain a list of services, service data, the device name, or vendor-specific data.

Tracking Devices

Due to the fact that these advertisements are sent in the clear, the Bluetooth consortium has introduced the ability for vendors to generate random device addresses that may be re-generated at regular intervals. This should ensure that a device remains identifiable via BTLE only for a short time. However, this renewal interval is chosen by the vendor, and some vendors will choose not to renew the address at all. So, while the aforementioned Address type may be set to Random Device Address, the address may still remain unchanged for a particular device, and thus cause the device to be identifiable indefinitely.

Apple is known to change their addresses about every 15 minutes, but Fitbit for example used to change their device addresses less than once per day or not at all. Even given a fifteen-minute renewal interval, this still means that a device will send out about 7500 advertisement messages before it changes its address. Depending on the content, that’s a lot of data.

Thus, it is still conceivable to track BTLE devices to a certain extent, and longer if the advertisement data is used as a fingerprint.

But advertising data can also be used to gather information about a device, because they routinely include the vendor ID (ex. Apple Inc.) as well as being connectable without the need for pairing. Connecting to devices often reveals the device name (ex. iPhone) and additional version information (ex. iPhone8.1).

What sets BTLE apart from tracking via WiFi or other communication channels, is that the upfront investment is essentially none. Under current Linux, the kernel and accompanying libraries provide easy access to most Bluetooth hardware, and can be used with a very wide range of easily available hardware such as a Raspberry Pi. The example utility at our Git repository performs a passive scan for all nearby BTLE devices and attempts to calculate a simple fingerprint of these devices.

# python3 main.py
0130855d15f06f, [Flags:06][AppleInc:ManufacturerSpecificData:10020b00] – -85 dBa, ConnectableDirectedAdvertising
010c0554a664c2, [Flags:04][IncompleteListOf128BitServiceClassUUIDs:ba5689a6fabfa2bd01467d6e00fbabad][ServiceData16BitUUID:0a181204a5850000] – -86 dBa, ConnectableDirectedAdvertising
011c890c768857, [Flags:1a][CompleteListOf16BitServiceClassUUIDs:[‘Next DST Change Service’, ‘Current Time Service’, ‘Reference Time Update Service’]][CompleteLocalName:54696d65] – -63 dBa, ConnectableDirectedAdvertising

Just in December of 2016, the Bluetooth Consortium adopted the new Bluetooth specification 5 and they claim to have further increased the security of the Low Energy protocol. We’ll see in the following years how this will play out, particularly with regards to the world of the Internet of Things.

About the Author

Eleanore Young has completed her master degree in electrical engineering and information technology in 2014 at ETH Zurich. Her areas of focus include computer architectures, operating systems and applied research.

Links

• https://github.com/scipag/btle-sniffer