A Bluetooth security vulnerability may allow hackers to track and identify device owners. The vulnerability exploits the way Bluetooth devices broadcasts itself to other devices, and affects Windows 10, iOS and macOS devices. Oddly enough, Android devices do not use the same broadcast method, and is thus immune to this exploit.
Researchers from Boston University discovered the vulnerability. They described the Bluetooth broadcasts as using a periodically changing, randomised address to prevent tracking. They’ve also developed an address-carryover algorithm that extracts identifying tokens despite the randomisation. This then allows the targeted Bluetooth device to be tracked continuously.
The algorithm also does not require breaking Bluetooth security either. Because of this, any attack using this method would be undetectable. Beyond just tracking, this exploit can also be used to gain insight into user activity.
In a statement to ZDNet, Microsoft said that this vulnerability has been patched in the Windows 10 May Update (1903). As for Apple, it’s likely that the company will be issuing a fix, if it hasn’t already. It’s also an uncommon occurrence that Android is immune to an exploit affecting other platforms.
(Source: Privacy Enhancing Technologies Symposium [PDF], via ZDNet, MacRumors)
