Tracking People by their MAC Addresses

Yet another article on the privacy risks of static MAC addresses and always-on Bluetooth connections. This one is about wireless headphones.

The good news is that product vendors are fixing this:

Several of the headphones which could be tracked over time are for sale in electronics stores, but according to two of the manufacturers NRK have spoken to, these models are being phased out.

“The products in your line-up, Elite Active 65t, Elite 65e and Evolve 75e, will be going out of production before long and newer versions have already been launched with randomized MAC addresses. We have a lot of focus on privacy by design and we continuously work with the available security measures on the market,” head of PR at Jabra, Claus Fonnesbech says.

“To run Bluetooth Classic we, and all other vendors, are required to have static addresses and you will find that in older products,” Fonnesbech says.

Jens Bjørnkjær Gamborg, head of communications at Bang & Olufsen, says that “this is products that were launched several years ago.”

“All products launched after 2019 randomize their MAC-addresses on a frequent basis as it has become the market standard to do so,” Gamborg says.

EDITED TO ADD (9/13): It’s not enough to randomly change MAC addresses. Any other plaintext identifiers need to be changed at the same time.

Tags: , ,

Posted on September 6, 2021 at 6:11 AM16 Comments

Comments

Carter Cheng September 6, 2021 7:04 AM

Thank you that is informative, but not surprising to me at all. RF poses huge and difficult problems.

BT September 6, 2021 7:37 AM

It is insufficient to just randomly change MAC addresses. It is also necessary to change any other plaintext identifiers at the same time:
https://www.sciendo.com/article/10.2478/popets-2019-0036

Even if update of all identifiers are properly synchronised it would still be relatively straightforward to track a continuing connection by its traffic pattern (especially for something as consistent as audio streaming).

Clive Robinson September 6, 2021 8:07 AM

@ ALL,

Hopefully most people who come here realise that “Any Static Data” is an “Identifier”[1] so the root of many issues that keep not just ICTsec practitioners but researchers and hopefully product designers working at eliminating it where they can.

However there is usually a problem in that most “roots of trust” are when you dig down based on “static data”.

It is a problem that can to a certain extent be solved with changing pieces of data.

As a simple example of a basic but insecure primative consider two pieces of data that although they constantly change maintain a relationship with respect to each other. The relationship is a “data shadow” that does not exist as data only as meta-data of the relationship.

We can build out from this idea to provide more secure solutions, but the research in this area is not what it could be unfortunately so ICTsec suffers from issues of “static data”.

[1] Whilst static data is an identifier, that alone is not sufficient for another party to use it. To be able to do that they have to gain access to it. In the past the use of Hardware Security Modules(HSMs) and One Way Functions (OWFs) have been tried. Unfortunately these have been insufficient to protect static data used for authentication(authN), autherization(authZ) and many other privacy, security, and secrecy functions.

lurker September 6, 2021 1:38 PM

This looks to my simple mind like laziness in writing the protocol. Why should a device like headphones need to continually broadcast its name and address? after it is connected and is receiving an ongoing audio stream? Wouldn’t it be sufficient to establish a session token during connection? which is destroyed when the connection is broken, and a new token is established every n minutes for continuous connections.

Which displays that I again am not the target demographic. I never have Blutooth always on, with devices that were previously paired this is not a problem, except for certain paranoid Linux systems.

BT bathroom scales? Is there no end to human laziness…

SpaceLifeForm September 6, 2021 4:49 PM

Probably more than you want to learn

Even though the bugs will allegedly be fixed by Halloween, you know the existing BT devices will not be patched.

hxtps://asset-group.github.io/disclosures/braktooth/

lurker September 6, 2021 6:35 PM

@SLF
Manual restart to restore service is “normal” behaviour for some BT devices, ie. a feature, not a bug. It’s a small comfort that the vulns listed cause “only” crashes, DoS, or arbitrary execution of code that already exists in the device firmware. Did I miss any injection of remote code?

Theo was right all along…

echo September 7, 2021 6:55 PM

@lurker

<

blockquote>BT bathroom scales? Is there no end to human laziness…

<

blockquote>

For some reason I never had a set of bathroom scales until recently. While shopping for something else I spotted a decent mechanical bathroom scale on sale to get rid of stock, I presume. The electronic ones looked nicer and were smaller but you’re reliant on yet another battery and if something goes wrong it goes wrong and is not repairable. Customer feedback online is they are not wholly accurate and the retailers official response is to take an average but they are close enough for me. Even if you had super duper accurate scales you’dstill need to work to an average and trend as that’s how the body works anyway. Not only that but I can use the scales to weigh a suitcase or “bucket of stuff” by weight whereas the electronic scales looked a bit iffy. Why I would want Bluetooth in scales I have no idea plus my mechanical scales will probably outlast me.

I do have electronic scales and electronic jeweller’s scales for the kitchen simply to save space. If I was doing anything serious mechanical scales would be better and they may make a nice backup. I’m waiting on fitting some 100KG expanding bolts on the iron kitchen racks before getting anything in like this though.

I like bling as much as anyone else but once you’re lived through a dozen changes you get fed up with it. Much like clothing it’s best to go for style than fashion.

Me September 9, 2021 10:37 AM

@Lurker

I think it isn’t so much about laziness, as that some people just can’t see the scale when they are standing on it.

It is a whole other issue with Americans rather than laziness.

EvilKiru September 10, 2021 4:14 PM

@Me: I’ve seen mechanical bathroom scales with a solution to that problem for up to 4 people. Individual movable pointers that stop at the highest weight reading for that pointer and only for that pointer.

WhiskersInMenlo September 15, 2021 11:01 AM

It is equally as important to address the multitude of inventory RfID tags in anything over $20. Most shoes, belts, handbags, hats, jackets have inventory tags built in. Those near devices can be associated with all the other devices. As a set they are you and a partial set is sufficient given the number of them. The RfID tag in a pet dog is normally read at inches but could be read at interesting distances.

Bluetooth and WiFi do have range, Cell phones have greater range, collectively they could be woven into a net.

JonKnowsNothing September 15, 2021 9:46 PM

@WhiskersInMenlo

re: multitude of inventory RfID tags … Those near devices can be associated with all the other devices.

What started with an idea of Track and Tracing Inventory for managing order and finding misplaced items has morphed into a method of tracking just about anything that can be tracked.

pre-COVID: Some RFID tags could disabled on checkout when the item was placed on a special mat, like at a bookstore.

iirc(badly) Leaving all the RFID tags active, plus some improved tracking software is one of the “features of I(DI)OT everywhere in the home” including the fridge. The use-case was the refrigerator will scan the contents of the freezer and fridge and determine the sell-by/use-by/best-used dates and if you have auto-order with a local market, the fridge will place a re-order for milk, eggs, cheese, steaks etc. Extensions are expected for dry goods and canned goods.

There are a few wrinkles:

  1. You have to be home to get the delivery or your frozen foods will melt, unless you enable the “Amz OK to enter” type program where the delivery person will open your RiggedRingDoor using a pass code and put your groceries away for you.
  2. You have to have funding in the bank to pay for it. Buying a special expensive celebration dinner doesn’t mean you want foie gras every night with high end steaks and bottles of booze, wine and sparklings. OTOH maybe you do…

iirc(badly) there was a pilot program (G?)where they were war-driving down residential streets, picking up wifi, and other broadcast signals that were amped through open channels. Some refrigerators were nearly empty.

Andrew Bunch September 16, 2021 7:57 PM

I though this was very interesting and it shows the continued need for increased security measures in all kinds of technology even Bluetooth headphones.

Alex October 4, 2021 9:16 PM

Actually… I already (ab)use this in my office. Completely dysfunctional office. To keep track of who is actually at the office and who isn’t, I have a pair of RaspPis sniffing Bluetooth connections and lets the receptionist know who is in / out based on their mobile phone’s Bluetooth being seen.

The second RaspPi is located above the ceiling in the bathroom and lets the secretary know when people are here, but in the bathroom since certain employees can spend inordinate amounts of time in there and not to transfer phone calls to them..

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.