Why it matters: Bluetooth is the invisible glue that binds billions of mobile devices together, so any vulnerability or bug will affect a large number of consumers who are seemingly unaware that they are sitting ducks for hackers looking to track them or potentially steal their data. Today's news is an important reminder about the risks we take when we're using Bluetooth devices, by leaving what essentially are open doors into our digital lives.
Boston University engineers have just come out with an extensive analysis on how the Bluetooth implementation on a number of popular modern devices could allow anyone to identify and track you. Everything from Apple and Microsoft seems to be affected, as well as wearables from companies like Fitbit that appear to be the easiest to exploit.
The vulnerability was discovered by David Starobinski's research team, who had been looking at different IoT protocols to assess if they presented any privacy risks. The one they found is related to the way Bluetooth devices pair with one another. To do that, they have to establish a hierarchy in which one plays the central role and the other is the peripheral, so that they can begin exchanging information.
The peripheral -- say, a pair of headphones -- has to broadcast its identity (a unique address) so that the central device -- your phone -- can know about its presence and its availability for a connection, which is stored along with some other information in something called a payload.
Most Bluetooth low-energy devices are configured to send randomized addresses that change periodically as an attempt to improve privacy, but BU researchers found that the payload remained the same, meaning a simple "sniffer" algorithm could treat that information as a unique identifier instead.
Interestingly enough, Android devices aren't affected by the exploit, because they don't broadcast any identifying tokens, instead relying on peripheral devices to advertise themselves. In any case, the researchers notified Microsoft and Apple about their findings in November last year, and while we don't know if they've patched the problem yet, a simple way to deal with this is as simple as turning Bluetooth off and back on your device.
There is no reason to be worried for now, even as Bluetooth adoption is "projected to grow from 4.2 to 5.2 billion devices between 2019 and 2022". The researchers noted that while manufacturers would do well to take privacy more seriously, there are many other ways to track people even without Bluetooth. That is, you can keep using your smartwatches and other wearables, but it's good to be aware about the fact that they may as well be "broadcasting something all the time."
