At the 19th Privacy Enhancement Technology Symposium in Stockholm, Sweden, Boston University researchers announced a new vulnerability in the Bluetooth Low Energy (BLE) communication protocol. This could cause a large number of devices to leak user identity information. Apple and Microsoft systems are not safe but Android is.
Specifically, this vulnerability exists in the identification extraction of the Bluetooth low energy protocol. Most Bluetooth devices generate a random MAC address when paired and automatically reconfigure periodically. However, with a specific algorithm, the Bluetooth connection can still be recognized even if the Bluetooth MAC address changes.
The study shows that Windows 10, iOS, macOS and even Apple Watch, Fitbit and other devices have this vulnerability. They will periodically send advertising events containing custom data structures for interaction with other devices and platforms. According to the researchers, Android devices are safe. This is because Google’s system doesn’t send messages and exposes itself, but scans nearby broadcasts.
The researchers believe that by 2022, the number of Bluetooth devices will increase from 4.2 billion to 5.2 billion. Thus, security issues will become increasingly severe. It is therefore important to establish anti-tracking methods on unencrypted communication channels. As of now, there is no official statement from Apple regarding this research. The company will have to verify the authenticity of the vulnerability and then take relevant actions.