Protecting Bluetooth Low Energy from Address Tracking When Using Whitelisting
T2021-110
The Need
Bluetooth Low Energy (BLE) is ubiquitous today due to its extremely low energy consumption and relatively large communication coverage. However, the devices communicated through Bluetooth are subject to address tracking attacks, where a nearby attacker can associate Bluetooth addresses to particular users by passively sniffing.
To defend against tracking attacks and protect user’s privacy, Bluetooth SIG has provided two countermeasures: (i) address randomization, and (ii) whitelisting. A Bluetooth device can adopt these two features together to achieve strong privacy, which is recommended in the Bluetooth Specification. However, it was discovered that the combined features surprisingly make the privacy of Bluetooth weaker due to a vulnerability in the current system that allows an attacker to reuse the existing randomized address for the whitelisting. As such, a nearby attacker can launch the address tracking by actively probing the whitelisting devices using the previously used random addresses.
The Technology
Dr. Lin Zhiqiang has developed a new protocol to secure the whitelisting protocol. By adding the sequence number in the random address generation and resolution process, in which the previously used random addresses are not allowed to be used any more, the vulnerability is effectively remedied.
Commercial Applications
- All BLE Industries
- Contact tracing
- Data privacy/security (Apple/Google have proposed solutions based on BLE)
Benfits/Advantages
- Highly Effective
- Small footprint
- Compatible with legacy key resolution and generation algorithm
- No additional hardware or computing power needed
Research Interests
Dr. Zhiqiang is an Associate Professor of Computer Science and Engineering at The Ohio State University. He is also a faculty member at Translational Data Analytics Institute, Center for Automotive Research, and the recently launched Institute for Cybersecurity and Digital Trust. His primary research interests are program (e.g., binary code, byte code, or source code; firmware, hypervisor, kernel, or application) analysis and also trusted computing (e.g., trusted execution environment such as SGX/SEV), and their applications to vulnerability discovery, malware analysis, and code/execution hardening.