back to article Bluetooth privacy is mostly ignored, so you're beaming yourself to the world

The popular Bluetooth Low Energy (BLE) beacon protocol isn't just a privacy risk up close – it can spaff your phone's or wearable's movements and information from a decent distance, and make you trackable. BLE best practice is to provide at last a minimal amount of user ID masking – not too much or iBeacons would be useless to …

  1. Christian Berger

    Why do I increasingly have the feeling...

    ...that consumer products are more and more designed by companies like Perfect Curve:

    https://www.youtube.com/watch?v=1EySLuYWTy0

  2. Anonymous Coward
    Anonymous Coward

    It beggards belief

    that these products that are meant to be "private" in so much as other people shouldn't be allowed to access them without my explicit consent are designed with security as the least common denominator.

    More reasons to carry a personal jammer....

    1. Neil Alexander

      Re: It beggards belief

      Or, you know, just turn Bluetooth off.

      1. I_am_Chris

        Re: It beggards belief

        "Or, you know, just turn Bluetooth off"

        And, pray tell, how one would achieve that on a device with no buttons e.g. a fitbit?

        1. John Robson Silver badge

          Re: It beggards belief

          Wrap it in tinfoil...

        2. dan1980

          Re: It beggards belief

          @I_am_Chris

          Exactly.

          But not only that, some of these devices, like the Nike device and, obviously, the Fit-bits, are designed to work via Bluetooth and, in so doing, get paired with your phone. Thus, using a fitness-tracking bracelet would likely mean that Bluetooth is enabled on both the device itself and your phone.

          And, given that these bracelets are not just for when you are working out, but designed to track your activity and heart rate and even sleep patterns 24-7, it is likely that people using them have Bluetooth enabled on their phones 24-7, wherever they go.

          The 'solution' so often given in response to these stories is 'turn it off' - sometimes accompanied by feigned incredulity that there are people who don't do so and the implication that those who don't are idiots. We had a story recently about stores tracking people via the wireless networking on their phones and several responses gave the supposedly sensible and 'well duh' answer that this is trivial to avoid by simply turning off the wireless on your phone whenever you're not actually using it.

          Frankly, that's just not good enough.

          Yes, turning off things you are not using is a security best-practice but these are consumer electronic devices and, while they contain - or essentially are - computers, to the vast majority of those using them they are no more aware of the this than they are of the computers managing their cars.

          What people want and indeed what they expect is that the devices they purchase are made properly and the designers have done their best to make the device functional and stable and secure. It might seem a completely naive assumption to those of us who work in IT or are otherwise IT-savvy, but it's actually not an unreasonable stance; it's only our through our familiarity with such devices - and with computers in general - that we understand that the reality rather different.

          When it comes down to it, if 'normal' users are naively trusting, then we, as IT-savvy folk, are jaded. We're actually just as much of a problem here because we 'work around' these problems by doing things like disabling Bluetooth and Wi-Fi and location services and only turning them on when necessary, and thus we essentially paper-over the problem.

          Why the hell shouldn't people be able to use the features of the device they purchased without it tracking them unduly or leaking information to all and sundry or being absurdly vulnerable to basic attacks that can be performed by anyone with a modicum of knowledge and with very modest outlay?

          Why should we be forced constantly deactivate and re-activate useful features all the time? Looking at the Wi-Fi issue of a few weeks ago, that might mean disabling wireless when you leave the house, enabling it on the train so you can browse on the free-wireless provided (if you are so lucky), disabling it when you get off, re-enabling it once at work - so you can get your e-mails downloaded via the wireless LAN and thus reduce the data usage on your 3G plan - turn it off again before going to lunch, back on after lunch, back off for the walk to the station, back on for the ride home, off again on the walk home, and on again at home, so you can stream some music to your stereo.

          Similar story with Bluetooth.

          Why should consumers who have paid good money for these devices be expected to turn convenience into inconvenience to work-around poor implementation or bad/unscrupulous practices?

          1. DropBear
            WTF?

            Re: It beggards belief

            "What people want and indeed what they expect is that the devices they purchase are made properly and the designers have done their best to make the device functional and stable and secure."

            I haven't the faintest idea where in the blazes "people" would get the idea ("expect") that anything they purchase is made properly, full stop, let alone secure. Where have all these "people" been living all their adult lives?!? "Want" is a different story, but hey I want a whole lot of stuff too - guess how much of it do I stand any chance whatsoever to get...

            1. dan1980

              Re: It beggards belief

              @DropBear

              First up, I appreciate the fact that you didn't down-vote me simply because you disagreed with me. Not that I care much (else I wouldn't comment on climate change articles) but it is nice to know that we can discuss things with civility.

              To the point, the problem is that people do expect that things are more-or-less okay. At least they do in the absence of specific knowledge in the given field. Even in IT-circles, we have assumed that certain things are well-made. Hell - look at the bugs with SSL. We, in IT, assumed that, as SSL is open and thus able to be independently examined, that people had done so and continued to do so.

              No sooner have we started to get some sleep and . . . Logjam. Not a 'bug' per se but an issue born of sites and companies not using a sufficient level of security. Again, this came as a surprise to most of us. I am sure someone reading this predicted it but most of us were caught out here.

              If we, in IT, are naive enough to simply trust SSL because we assume that someone must have verified everything, then who are we to look down on non-IT folks (i.e.: 'normal' people) for believing that the products they buy are suitably made?

              And, even putting all that aside, consumers should have a right to expect that the products they buy are fit for purpose.

              Just to be clear on that, it is my belief that any device that generates, accesses, stores or transmits personal information should - as a top priority - endeavour to secure that data and prevent unauthorised access to it. If one encounters a device that gathers personal data but does not take appropriate steps to secure it then that device is not fit for purpose, any more than an easily-picked door lock is suitable for purpose.

              1. YetAnotherLocksmith

                Re: It beggards belief

                I'd argue that a cheap lock is actually better than a Bluetooth beacon you can't turn off.

                You can use the lock on a cupboard inside your house to keep family from drinking your vodka. The Bluetooth on the other hand will betray you even from inside your own home.

          2. cbars

            Re: It beggards belief

            I was annoyed by constantly switching on/off my WiFi, I found an app on the Play Store a year or so ago which does it for you (Wi-Fi Matic). It seems to be a good idea: Using the cell towers signal to remember where the user wants WiFi enabled, then when you wander away from that cell tower configuration, it switches it off for you. Of course, the user can override, and manually delete rules too.

            Should be incorporated into a standard of some sort applied to all networking (bluetooth, NFC etc). I've noticed a couple of manufacturers starting to copy this functionality, so I hope the developer is getting some royalties/consultancy fees from them!

            As for WiFi, IANAE but disconnected clients really should stay quiet unless they recognise the broadcast/ID of the network trying to talk to them, or the user wants to add a new network to that list.

  3. AndrueC Silver badge
    Thumb Down

    BLE best practice is to provide at last a minimal amount of user ID masking – not too much or iBeacons would be useless to advertisers

    Perish the thought..

    1. Jonathan Richards 1 Silver badge
      Flame

      >>iBeacons would be useless to advertisers

      > Perish the thought...

      And this is it, isn't it. No longer do designers [1] of consumer electronics design functionality for the use, convenience and life-enhancing purposes of the people who buy them, they design with a view to extracting ongoing revenue streams from those purchasers, mostly by selling their location, movements, information-consuming habits, health data and anything else they can lay their virtual hands on, to advertisers. [2]

      Perish the thought, indeed, that one might build a Bluetooth device properly designed so that it communicates securely with only the paired device it is meant for. Or a browser that reads a web page without blabbing on the reader. Or a watch that sits on one's wrist and just, I don't know, tells the bloody time to the owner of the wrist.

      [1] Well, designers who have a paying job

      [2] Sorry, that sentence was too long. Take a breath.

  4. Alistair
    Holmes

    Bluetooth. Security

    I've had one (1) and ONLY one bluetooth headset that permitted one to alter the default 0000 pin for pairing. And I've killed far more than my fair share of bluetooth headsets. (it required plugging the headset into a pc with usb cable, firing up a small binary - which worked in wine - to modify the security code) - My phone never advertises and I have it set to ask on all connections. My laptop never advertises and asks for a pin for all connections. My gaming rig, I pull the bluetooth when I'm not using it.

    I'm continually stunned at the office, if I do scan to pair with the laptop (my headset or the horrid control panel for our VConference suite) at the number of bluetooth devices I can see that are set without security. At a guess I'd say that 30% of the phones and laptops are blathering their identities to the world.

    What is even more astonishing is the number of these (active bluetooth) phone's owners that have no clue what the thing draped around my neck is - or how it works,

    And I'm in a tech aware office.

    *sigh*

    Somehow this article falls into the category of .....

    1. John Brown (no body) Silver badge
      Facepalm

      Re: Bluetooth. Security

      "And I'm in a tech aware office."

      Same here. We build and sell Servers, PC, SANs and stuff. We even have tech people designing "solutions" and tech support people dealing with customers. And the number of these people who never turn off BT or Wireless or even secure them properly is frightening. I mean, even if just for the common sense reason of maximising battery life let alone the security implications FFS.

      Then again, a number of people in the company seem to be incapable of even addressing emails to the correct list addresses. I really don't give a flying pigs arse about the new menu in the canteen at a different office 100's of miles away. (although flying pigs arse might be an improvement, especially fried and placed in bun!)

      Hey El Reg, we need a flying pig icon!

  5. EngineerAl

    I operate several bluetooth devices used for analysis of motor vehicle travel speeds and distribution. All I get out of the gadget is the MAC address. I can't connect the MAC address to any particular person unless I know the match from some other means. What else are the phones (and the cars' electronics) transmitting?

    BTW the maker of our gadgets allows hashing the MAC addresses before storage so that's what we do.

    1. YetAnotherLocksmith

      Few people realise that there are companies that do this, nor that they are simply tracking the Bluetooth beacons in phones, fitness trackers and even sat navs.

      Works quite well.

      It'll get worse in future, as things like smart locks and other devices demand a fixed MAC or other identifier to allow access! (And of course, that's a bad way to deal with security, and since developers are lazy...)

      IPhones now scramble their wifi identifier iirc, & Bluetooth will be too - at least that's why at least one smart lock removed the "door unlocks as you get near" feature. But who knows?

  6. Kevin McMurtrie Silver badge
    Trollface

    But fun

    Bored in the passenger seat during bad traffic? Set your phone's Bluetooth machine name to something ominous and start firing off pairing requests to anything in range.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022