In 2018, nearly 3.7 billion new Bluetooth-enabled devices shipped worldwide to consumers. From phones and speakers to thermostats and fridges, home appliances and personal devices including “wearables” are rapidly becoming more connected by Wi-Fi than ever before, creating what’s called the Internet of Things (IoT). In theory, connecting devices through the IoT allows users to seamlessly automate or control digital tasks, but new research from Boston University suggests that these Bluetooth-enabled devices might be broadcasting your location and habits to third-party observers.

David Starobinski, a BU College of Engineering professor of electrical and computer engineering, and a team of researchers have discovered a vulnerability in several high-profile Bluetooth devices—including the popular workout-tracking Fitbit watch—that could allow third parties to obtain sensitive information from the devices, such as your whereabouts and activities. 

“We were looking into different IoT protocols in general and trying to find privacy issues with those products,” says Johannes Becker, a BU graduate researcher on the team. “Basically everybody is carrying around a Bluetooth device nowadays in some way, shape, or form, and that makes it very relevant.”

Starobinski says that the very same features that allow a device to “authenticate,” or correctly identify, its user—e.g., saved paired device information or a fingerprint passcode—can be co-opted by a third party to track the person instead.

“We were looking at different ways we could try to authenticate people,” says Starobinski. “One of the ideas was that you carry all these devices and they have specific behavior features, [so] maybe we can use them. And it’s interesting because there’s kind of a trade-off. On the one hand, you can authenticate because you have these unique signatures of your devices. But on the other hand, you also have the issue that the same feature can be used by a third party to track you. So, it’s a double-edged sword.”

The researchers say that the information leak stems from the way different Bluetooth devices communicate with one another to establish a connection. 

Before a pair of Bluetooth devices can begin transmitting information, they must first establish which device will play a central role in the connection and which device will play a peripheral role. For example, if you were trying to connect a pair of Bluetooth headphones to your iPhone, the iPhone would play the role of the central device and the headphones would be the peripheral one, says Becker. Once the pair’s hierarchy is established, the central device begins scanning for signals sent by the peripheral device that indicate it’s available for connection. These signals contain a unique address—similar to the IP address of a computer—and a payload containing data about the connection. 

Most devices produce randomized addresses that automatically reconfigure periodically, instead of maintaining one permanent address, in an attempt to improve privacy. It’s designed to throw nefarious observers off the scent of a given device’s location, but Starobinski’s team says that they discovered an oversight in this process that allows a device to be tracked even as its address changes. 

“To an onlooker [the payload data] could just be a number, no big deal,” says Becker. “But we said, ‘Let’s take this random data…and let’s pretend it’s a unique identifier [of the device].’ And then what we found is that this [identifier] doesn’t change in sync with the address.” 

Since the payload information updates at a different rate than the address information, the communication blips between Bluetooth devices paint an identifiable pattern. Having discovered this vulnerability, the researchers decided to test out how well it could be used by a third party to track individual devices. 

They modified an already existing open-source “sniffer” algorithm (aptly named for its ability to sniff out and track Bluetooth connections) and found, luckily for Android users, that those devices don’t have the identifiable communication blip that would make them vulnerable to tracking. In contrast, Windows 10 and iOS may have something to worry about, since many of those devices do have the communication blips that make them trackable. 

They also found that wearables—like a Fitbit—and smart pens do not exhibit any address change or randomization at all, making them extremely susceptible to tracking even without the use of a sniffer algorithm. 

“What surprised me the most was discovering a vulnerability with the Fitbit activity trackers,” says senior David Li (ENG), who contributed to the research. “Restarting the device or draining its battery did not change its access address. This was completely unexpected. If the Fitbit’s access address never changes, then an adversary could potentially track a Fitbit owner.”

While this security hole doesn’t sacrifice personal user data, the researchers say a hacker could take advantage of it and create a network of computers—known as a “botnet”—to track an individual device at larger distances, or combine tracking information with more personal data from Wi-Fi accessible IoT devices to build a more detailed picture of a user. The researchers also emphasize that no invasive hacking was necessary to access this leaking Bluetooth information. Because the address and payload information are transmitted as plain text (i.e., unencrypted), their algorithm could simply listen invisibly to the publicly transmitted information. 

That said, the authors point out that thwarting this particular security gap can be as simple as turning off and back on your device’s Bluetooth connection, at least in the case of Windows 10 and iOS devices. For smart wearables like the Fitbit or accessory devices like smart pens, the researchers say there isn’t much a user can do about the signals they’re broadcasting.

Take this news with a grain of salt, though. The researchers say that they’re not too worried about the security of Bluetooth devices—yet. 

“There are tons of ways to track people, with or without Bluetooth,” says Becker. “It’s always good to be aware of the kind of signals you’re sending out, especially in the age of IoT. I’m much more skeptical toward these devices that don’t give you control [of Bluetooth], such as smartwatches, where you can just assume they’re broadcasting something all the time.

“But no, I haven’t fundamentally changed the way I use devices,” he adds.