Visible to the public Even Black Cats Cannot Stay Hidden in the Dark: Full-band De-anonymization of Bluetooth Classic Devices

TitleEven Black Cats Cannot Stay Hidden in the Dark: Full-band De-anonymization of Bluetooth Classic Devices
Publication TypeConference Paper
Year of Publication2020
AuthorsCominelli, M., Gringoli, F., Patras, P., Lind, M., Noubir, G.
Conference Name2020 IEEE Symposium on Security and Privacy (SP)
Date PublishedMay 2020
ISBN Number978-1-7281-3497-0
Keywordsaddress randomization, apparently benign information, audio streaming, audio streaming voice calling, automobiles, black cats, BLE, Bluetooth, Bluetooth Classic devices, bluetooth low energy, bluetooth security, BT addresses, BT spectrum analysis, car stereo systems, Clocks, composability, computer network security, data privacy, de-anonymization technique, facto connectivity technology, frame encoding, frequency 79.0 MHz, Full-band De-anonymization, high data rates, Human Behavior, identified privacy attack, laptops, Lower Address Part, master device, personal area networks, piconet master, privacy, privacy attacks, privacy guarantees, pubcrawl, resilience, Resiliency, software radio, Software-defined Radio based sniffer, Synchronization, telecommunication traffic, tethering, tracking attacks, Upper Address Part, Wireless communication, wireless headsets, Wireless sensor networks

Bluetooth Classic (BT) remains the de facto connectivity technology in car stereo systems, wireless headsets, laptops, and a plethora of wearables, especially for applications that require high data rates, such as audio streaming, voice calling, tethering, etc. Unlike in Bluetooth Low Energy (BLE), where address randomization is a feature available to manufactures, BT addresses are not randomized because they are largely believed to be immune to tracking attacks. We analyze the design of BT and devise a robust de-anonymization technique that hinges on the apparently benign information leaking from frame encoding, to infer a piconet's clock, hopping sequence, and ultimately the Upper Address Part (UAP) of the master device's physical address, which are never exchanged in clear. Used together with the Lower Address Part (LAP), which is present in all frames transmitted, this enables tracking of the piconet master, thereby debunking the privacy guarantees of BT. We validate this attack by developing the first Software-defined Radio (SDR) based sniffer that allows full BT spectrum analysis (79 MHz) and implements the proposed de-anonymization technique. We study the feasibility of privacy attacks with multiple testbeds, considering different numbers of devices, traffic regimes, and communication ranges. We demonstrate that it is possible to track BT devices up to 85 meters from the sniffer, and achieve more than 80% device identification accuracy within less than 1 second of sniffing and 100% detection within less than 4 seconds. Lastly, we study the identified privacy attack in the wild, capturing BT traffic at a road junction over 5 days, demonstrating that our system can re-identify hundreds of users and infer their commuting patterns.

Citation Keycominelli_even_2020