Norwegian student follows wearers of Bluetooth headsets as they cycle around Oslo • The Register
A Norwegian student who toured Oslo in a stroller found that several popular models of Bluetooth headphones do not implement MAC address randomization, which means they can be used to track their wearers.
Norwegian state broadcaster NRK revealed Bjorn Hegnes’ findings after helping him analyze Bluetooth broadcasts from a dozen different models of audio headphones, contained in 1.7 million Bluetooth messages he intercepted . Hegnes was collecting the data as part of his first year project at Norof University.
The analysis was possible because Bluetooth devices typically broadcast their unique identities by default. However, it appeared that of all the headphones collected by Hegnes, none of them implemented address randomization.
Without this randomization, it was trivial for the devices to be pinged multiple times, revealing the precise location of their carriers as they moved around the city of Oslo.
“The data was collected by Hegnes [while travelling] by bike throughout Oslo with a Bluetooth receiver. The first two trips were to test the device and procedures, and then it embarked on a 12-day, 300-km trip. The antenna picked up Bluetooth messages within a radius of 100 meters, ”NRK reported this week.
Hegnes’ cycling trips uncovered 9,149 unique Bluetooth transmitters, including 129 headsets that were picked up for more than 24 hours.
The randomization of MAC addresses was spurred by revelations leaked by former NSA system administrator Edward Snowden, although opinions vary on its usefulness; the US Naval Academy (perhaps predictably) said in 2017 that it wasn’t really worth it. More recent research has shown that modern devices are good at randomizing addresses.
NRK has prepared maps, available on its website, showing where some device owners have traveled in the Norwegian capital. He also contacted one of the owners of the device, having identified him from his helmet. He told reporter Martin Gundersen: “It’s nasty to know that others you don’t know can track you via Bluetooth. It never crossed my mind.”
Jake Moore, security specialist at Slovak infosec company ESET, said The register the implications of Hegnes’ findings were worrying for those concerned about their privacy.
“With the rise of smart devices over the past decade,” said Moore, “it is extremely concerning that this has not been taken into account when privacy is currently taking a powerful turn. The post-Snowden era. makes these results even more disturbing. “
In 2014, the Internet Engineering Taskforce (IETF) promised to strengthen its protocols to prevent trivially easy snooping of the type discovered by NSA whistleblower Snowden. The following year, the randomization of MAC addresses emerged as one of the concrete gains of this effort.
Moore of ESET continued, “Many people will undoubtedly continue to use headphones and other technologies that barely fit, except those with minimal additions, which means people still might. run risks for years. Few companies offer security updates to IoT devices, and even fewer fixes for those devices, even if they are available. “
Application security expert Sean Wright told us:
“The risks of that are clear. Bluetooth headsets follow us everywhere – on our commutes, in the gym or in the office, on our way to meet friends – so the idea that someone might use them to track your. position is grim to say the least What if an abusive partner or stalker uses this discovery to their advantage to silently follow their victim? Let’s not even talk about the potential danger this could pose to children and teens.
“The key question I ask myself is whether the information extracted from these devices is collected centrally. If so, the risk to the general public is significant because it will be much easier for malicious people to Get in Touch Vendors need to start randomizing device addresses to protect the privacy of their users, otherwise I have no doubt we’ll see this sort of thing exploited in the future, ”he said.
As the UK government (closely followed by the EU) continues with plans to impose better security standards in IoT and consumer devices, this push has focused on interactive devices with passwords. default administrator.
A set of headphones or bluetooth earbuds isn’t what comes to mind when you think of an IoT device – but it can apparently still pose a privacy risk. ®