Incompatible with traditional Bluetooth, BLE was developed by the Bluetooth Special Interest Group (SIG) as a personal wireless technology that is rapidly finding its way into personal devices.
These include mobile phones, Apple’s iBeacons and a growing number of wearable devices that monitor activity, fitness and heartbeats that typically use BLE to communicate with mobile apps.
The researchers have developed an app of their own that demonstrates how easy it is to capture, monitor and record BLE signals.
Publication of the Context findings comes just a week after China banned its armed forces from wearing internet-connected wearable tech.
The Chinese military’s official newspaper said any wearable technology that can process and transmit data could be used to track military personnel or to reveal military secrets, according to a BBC report.
“Many people wearing fitness devices don’t realise they are broadcasting constantly and that these broadcasts can often be attributed to a unique device,” Context senior researcher Scott Lester told the security firm’s Oasis symposium in London.
“Using cheap hardware or a smartphone, it could be possible to identify and locate a particular device that belongs to a celebrity, politician or senior business executive within 100 metres in the open air.
“This information could be used for social engineering as part of a planned cyber attack or for physical crime by knowing people's movements,” he said.
BLE was released in 2010 for a range of new applications that rely on constantly transmitting signals without draining the battery.
Lester said that like other network protocols it relies on identifying devices by their media access control (MAC) addresses, but while most BLE devices have a random MAC address, Context researchers found that in most cases the MAC address does not change.
“My own fitness tracker has had the same MAC address since we started the investigation, even though it’s completely run out of battery once,” he said.
Read more about the internet of things
- As the number of IoT devices in the enterprise grows, so do the potential risks
- It is possible to mitigate the privacy and security risks of the IoT without losing its benefits
- Research firm Gartner claims managing identities and access is critical to the success of the IoT
- As the IoT becomes more achievable, businesses need to prepare for the avalanche of data that is to come
Sometimes the transmitted packets also contain the device name, said Lester, such as the "Garmin Vivosmart #12345678", or even give the name of the user, such as "Scott’s Watch".
BLE is also increasingly used in mobile phones and is supported by iOS 5 and later, Windows Phone 8.1, Windows 8, Android 4.3 and later, as well as the BlackBerry 10.
The Bluetooth SIG has predicted that by 2018, more than 90% of Bluetooth-enabled smartphones are expected to support BLE, while the number of Bluetooth-enabled cars is expected to top 50 million.
Lester said iBeacons, which also transmit BLE packets to identify a location, are already used in Apple Stores to tailor notifications to visiting customers, while British Airways and Virgin use iBeacons with their boarding pass apps to welcome passengers walking into the lounge with the Wi-Fi password.
House of Fraser is also trialling iBeacons on mannequins to allow customers to look at the clothes and their prices on their phones.
The current model for iBeacons is that they should not be invasive, which means an iBeacon-aware app needs to be running to detect and respond to a beacon.
“However, it doesn’t take much imagination to think of a phone manufacturer providing handsets with an iBeacon application already installed, so your phone alerts you with sales notifications when you walk past certain shops,” said Lester.
The current version 4.2 of the Bluetooth Core Specification makes it possible for BLE to implement public key encryption and keep packet sizes down, while also supporting different authentication schemes.
“Many BLE devices simply can’t support authentication and many of the products we have looked at don’t implement encryption, as this would significantly reduce battery life and increase the complexity of the application,” said Lester.
He said it is clear that BLE is a powerful technology, which is increasingly being put to a wide range of uses.
“While the ability to detect and track devices may not present a serious risk in itself, it certainly has the potential to compromise privacy and could be part of a wider social engineering threat. It is also yet another demonstration of the lack of thought that goes into security when companies are in a rush to get new technology products to market,” said Lester.
BLE part of IoT growth
Devices using BLE could be considered as a subset of devices that are contributing to the rapid growth of the internet of things (IoT).
In May 2015, researchers warned that there are key areas where the industry supporting IoT devices and services needs to provide better security.
According to Beecham Research, the key areas where external or internal attacks may originate and need to be addressed by the fast-growing IoT industry are shown on its IoT security threat map.
“The only reason we have not seen serious IoT breaches already is because the IoT has not yet been deployed in large-scale consumer or enterprise applications that make them attractive to attackers,” said Beecham Research technology director Jon Howes.
“Traditional machine-to-machine applications are typically very focused, using specific edge devices, a single network and custom platform, making it relatively easy for security professionals to secure to the acceptable level.”
However, Howes said IoT cuts across different sectors and embraces multiple devices and networks – from satellite to cellular – along with a growing number of IoT platforms and big data systems, which presents threats on many different levels and fronts.
Without concerted action now, Howes believes the proliferation of different devices, networks, platforms and applications to support the IoT multiplies the vulnerabilities and greatly increases the potential for malicious attacks.