back to article Norwegian student tracks Bluetooth headset wearers by wardriving around Oslo on a bicycle

A Norwegian student who went wardriving around Oslo on a pushbike has discovered that several popular models of Bluetooth headphones don't implement MAC address randomisation – meaning they can be used to track their wearers. Norwegian state broadcaster NRK revealed Bjorn Hegnes' findings after helping him analyse Bluetooth …

  1. Anonymous Coward
    Anonymous Coward

    ...But There's Even More To Worry About.............

    Link: https://www.apple.com/uk/icloud/find-my/

    Quote: "You can even find devices that are offline"

    Yup.........Apple devices can be found (via OTHER PEOPLE'S Apple devices), even when YOUR DEVICE is off line.

    So........you might like to consider two actions:

    1. Abandon Apple devices and accounts

    2. Always switch Bluetooth off

    Pity that item #2 means going back to wired headphones....but then......

    1. Snake Silver badge

      Re: ...But There's Even More To Worry About.............

      The Apple sheeple users seem to be the most frequent abusers of leaving their Bluetooth on even when they are not actively using the technology. Heaven forbid they are incisive inconvenienced to have to go into a Settings function on their Jesus mobes to make a change.

      I use Android, of course. Therefore my Bluetooth is OFF unless and until I need it.

      1. heyrick Silver badge

        Re: ...But There's Even More To Worry About.............

        "inconvenienced to have to go into a Settings function"

        Huh?

        Admittedly my original iPad Mini is old and never got updated beyond iOS7, but I'm pretty sure that turning Bluetooth on and off was a simple swipe up to get to various controls like turning Bluetooth on and off. Just as easy as Android, only swiping from the other end.

        "Therefore my Bluetooth is OFF unless and until I need it."

        Ditto for the iPad, because it doesn't (didn't?) support transferring files and such with non Apple devices, so it was only useful for keyboards and headphones. As such, it was kept off unless required.

        1. Trigonoceps occipitalis

          Re: ...But There's Even More To Worry About.............

          "Therefore my Bluetooth is NOT OFF unless I remove the battery."

          FTFY

        2. Anonymous Coward
          Anonymous Coward

          Re: ...But There's Even More To Worry About.............

          You might want to check the logs of your iThings using libmobiledevice...

          You might be surprised to find that bluetooth is still running in the background.

          Especially after every Android and iThing received the update for COVID track and trace.

          Some of the bluetooth logs I've seen on an iPhone even with the bluetooth slider turned off had very interesting names such as: "spy scan client"

      2. Anonymous Coward
        Anonymous Coward

        Re: ...But There's Even More To Worry About.............

        If only there was a way of listening to music on headphones that didn't require a bluetooth connection

      3. Anonymous Coward
        Anonymous Coward

        Re: ...But There's Even More To Worry About.............

        "I use Android, of course. Therefore my Bluetooth is OFF unless and until I need it."

        That's all fine and good but that "Pretty Pony Emoji Keyboard" app that you installed from the Play Store has enabled bluetooth in the background without your knowledge by using the BLUETOOTH_ADMIN permission.

    2. Robert Carnegie Silver badge

      Re: ...But There's Even More To Worry About.............

      We're all also using Bluetooth to detect coronavirus (sort of) so...

  2. AndrewB57

    ...and in other news

    I can see the headline now:

    Location of mobile phones tracked

    In other news our intrepid investigation team reveal the habits of bears in the woods - more at 10

    1. Pascal Monett Silver badge

      Re: ...and in other news

      Sorry, but a mobile phone is not at all a pair of earbuds.

      To be able to make or receive a call, your location must be known at the very least by the nearest mast. That is part of the bleeding obvious in life.

      To learn that you can be tracked by earbuds is something else entirely. Unexpected, and unwelcome.

      Unfortunately, it is not entirely surprising.

      1. NIck Hunn

        Re: ...and in other news

        Unfortunate and not surprising, bot also not necessary. Bluetooth supports address randomisation, and as far as I know, every Bluetooth chip supports it. Unfortunately, a lot of developers still seem to think that security makes development and debugging harder, so they turn it off during development, then forget to turn it back on before a device goes into production.

        That's what the UK proposals are trying to do - make sure that manufacturers at least do the basics.

  3. xyz123 Silver badge

    US Naval Divison: Mac address randomization isn't worth doing. Yes we're talking to you, the woman on the bike with the red helmet that just ordered a large mocha from starbucks!

    1. Falmari Silver badge

      @xyz123 which NCIS episode was that? :)

  4. Mike 137 Silver badge

    Dunning and Kruger rule the world (or at least most governments)

    "While the British government (closely followed by the EU) is pushing ahead with plans to force better security standards into IoT and consumer devices, that push was focused on interactive devices with default admin passwords."

    Just addressing a single bleeding obvious basic flaw, which just goes to show how ignorant the "powers" at the department of 'Digital', Culture, Media and Sport are about the true nature of security.

    The very same problem as enunciated in this report.

  5. Ashto5

    Criminalise Bad Security

    Security is a massive issue.

    Criminalise the failure to adhere to basic standards, these standards should be set by the nations elite spy agencies.

    Until then don’t turn around, I am watching you.

    I’m the one in the jeans and top can you spot me ?

    Not to worry I know exactly where you are, see you soon x

    1. b0llchit Silver badge
      Joke

      Re: Criminalise Bad Security

      Suggested penal code:

      • Not locking screen: first time £1250 fine, second time £10000 fine, third time and further instances one year jail and £25000 fine
      • Reuse password: two years jail and £10000 fine doubling with any further infraction
      • Seeing someone use their password: mental institution reeducation
      • Not reading the manual: life imprisonment

      1. Anonymous Coward
        Coat

        Re: Criminalise Bad Security

        Not reading the manual: life imprisonment

        Well that's everyone around here fucked then.

        Mine's the one with the soap on a string.

        1. b0llchit Silver badge
          Coat

          Re: Criminalise Bad Security

          Well that's everyone around here fucked then.

          Imagine, 99% of the world population will die in jail within short time. It solves many of the problems the world has. At least, security and many other worldly problems will no longer be a big issue. This is what we call a win-win :-D

          Lock'm up I'd say!

      2. Ken G Silver badge
        Facepalm

        Re: Criminalise Bad Security

        When I started working with a large international organisation then based west of Glasgow, the IT security manager was a few desks behind me. I was already pretty good about locking my screen when I got there but my habits improved soon after discovering his response to anyone walking away from their workstation without locking was to throw something from his desk at their head.

  6. TimMaher Silver badge
    Windows

    Old fashioned

    As an oldy , all of my BT headsets are retired in the study.

    I used to use a Jabra, car radio, phone mix during my commutes but no longer need to.

    Wired is fine for me and has almost no transmission problems, unlike BT.

    But yet another worrying story to add to the catalogue of exploding ’smart’ toasters and self ordering fridges.

  7. werdsmith Silver badge

    contacted one of the device owners, having identified him from his headset

    So…. How does this work? Approached him in the street having detected a particular headset type nearby an found him visually?

    Or something more sinister?

    Or maybe he detected a pair of Beats headphones and looked on Facebook for “Bell End”. Oh wait… that won’t work, that could be anyone on Facebook.

    1. cornetman Silver badge

      Probably just walked up to a few people and asked them what they thought about the implications and one was happy to go on record with their opinion. No conspiracy required.

      1. werdsmith Silver badge

        No conspiracy implied.

  8. Snake Silver badge

    Does not make sense

    "Hegnes' cycle trips discovered 9,149 unique Bluetooth transmitters, including 129 headsets that were picked up for more than 24 hours."

    How does one pick up Bluetooth headsets "for more than 24 hours" when the longest battery life on a Bluetooth headset that I know of is less than 6 hours?

    1. Falmari Silver badge

      Re: Does not make sense

      @Snake ^1 That was my first thought. But maybe they were on charge.

    2. doublelayer Silver badge

      Re: Does not make sense

      It seems long, but he traveled long distances for twelve days, so if you saw the headsets twice each day and mark each siting as an hour, that could get you there. Divide the time period for other options. Given the range and speed of the bicycle, it's unlikely they got pings for 24 hours unless this student's friends were pranking him, so I'm guessing some grouping of time observations is involved.

      Oh, and there are lots of Bluetooth headsets with more than six hours battery life. I have one which runs for eight consistently, and it was incredibly cheap. I also have ones that can run for forty hours without a recharge, though it's a larger over-ear type so not great to use outdoors.

    3. Irongut

      Re: Does not make sense

      I have a wireless gaming headset that gets 100 hours on a charge so it is possible though unlikely they meant 24 hours continuously.

    4. ske1fr
      Mushroom

      Re: Does not make sense

      Prepare to have your mind blown. My new ones use Qualcomm’s QCC5124 chipset. 60 hour battery life with ANC. And sound great. It would help if the Norwegian had provided a suitably anonymised dataset so we could see what brands of device were vulnerable, but no, I couldn't find it during a speedread.

  9. JohnG

    How many Bluetooth headphones are capable of MAC address randomisation? Most are based around a single chip, which don't support MAC address randomisation.

    1. bombastic bob Silver badge
      Devil

      sounds like time for upgraded silicon. whoever makes the thing should probably design MAC randomization in and get it to market so that manufacturers will start using it. Ideally it would have the same footprint on the circuit board. They could even charge more money for it, calling it "security enhanced" or something.

      (additional features might include lower quiescent operating current or better power-save)

  10. Kevin McMurtrie Silver badge

    BB is watching

    I still believe that the primary driving force behind eliminating the headphone jack was forcing phone owners to keep BT on and scanning tracking beacons. Since beacons only send a GUID, a the scans pass through a 3rd party service for conversion to coordinates.

    There was a lot of marketing materials for these services about 20 years ago. Retailers could place BT beacons indoors to keep fine-grained navigation working without GPS signals. In return, retailers would know exactly where people were shopping by which beacon GUIDs were being looked up. The marketing materials have gone to a lower profile but the systems are in use. Turning BT scanning on makes Google Maps work in Japanese subways. A recent employer uses the beacons to keep office maps working without GPS.

  11. Pascal

    In a perfect utopia, wireless devices being trackable by static identifiers would be a thing that mattered.

    But you know 99% of these devices' owners just have Facebook automatically post every location they step in for the world to see anyway.

  12. Anonymous Coward
    Anonymous Coward

    "– so the idea that someone can use them to track your location is sinister to say the least. "

    Yeah. Thank <deity> we can't be tracked by facial recognition among a sea of cameras or we'd really be screwed. And thank <deity> no one would ever track your location and movement by, oh I don't know, sitting in a white van across the street and watching your comings and goings with their own eyes. That would have to rank far beyond "sinister". Nope, once we fix this horrendous bluetooth leakage, we'll all be safe again.

    1. Robert Carnegie Silver badge

      I think the risk there is less "government which can afford to install a billion CCTV cameras and face recognition that even works" and more "kidnapper or mugger".

      I won't describe how you might track someone going home with an expensive looking phone if you aren't the government and also you don't want to spend your whole day following them, but knowing their route and choosing a good place for an uninterrupted robbery is one purpose of the exercise.

    2. ShadowSystems

      At the A/C re: white vans...

      I love the white vans! It's always so amusing to hear the screams & exploding skulls when I press my naked self up against the glass! I just wish it wouldn't take so long for the recovery teams to come & haul away the van, the stuff inside starts to stink after a day or two in the hot sun. But then the replacement arrives & I get to do it all over again! =-D

      I'd get my coat, but it's clear plastic & doesn't hide anything. ;-D

    3. Graham Cobb Silver badge

      Tracking by sitting in a white van and watching is perfectly reasonable.

      We need police. We need detectives. But what we don't need is pervasive surveillance.

      Tracking which takes significant resources (at least one person - more for a 24-hour surveillance) is fine: the powers-that-be have limited resources and can prioritise them. That means they are surveilling those they deem the most serious - the rest of us can get on with our lives unmolested.

      That is the trade-off society has approved for many years. Society does not approve of surveillance of everyone all the time.

      1. Anonymous Coward
        Anonymous Coward

        "Society does not approve of surveillance of everyone all the time."

        Really? So Facebook/Apple/etc tracking your movements within a store to within a couple of feet via your cellphone isn't "surveillance"? Perhaps it's not governmental (yet), but it's still surveillance, and actually much worse and more pervasive than this bluetooth tracking "issue".

  13. a_yank_lurker

    Darwin Award Nominees?

    I have been concerned about people I see walking and jogging with earphones on. Their situational awareness would be rather low as the paying attention to the earphones and not what is going on around them.

    1. John Brown (no body) Silver badge

      Re: Darwin Award Nominees?

      Depends. Many people can listen to music without being distracted much at all from what they are doing. It's just background noise. The problem isn't so much the distraction as the severe reduction in external audio cues.

      After all, some people prefer to work, code, do homework (looking at you teens!) with loud music blasting out :-)

      Personally, when I'm driving, I listen to audio books. But I also know how to prioritise my awareness. Many's the time I've had to rewind a chapter and listen again because I've completely lost the plot by watching more intently on where I'm going. It also adds something to my awareness when driving long distances on motorways where it's easy to get bored and distracted when driving in silence.

  14. rtfazeberdee

    why are governments so slack in forcing IoT kit being secure? It has been so obvious from the first IoT device being out there that it will be a security issue. The manufacturers should be fined heavily if they don't make their stuff secure.

    1. Totally not a Cylon
      Mushroom

      Not the Government's job, also if Gov legislates then companies match that AND NO MORE.

      Better for an independant third party maybe something like a British Standards Institute? (Insert your country if different)

      Consumers have a right to buy cheap rubbish if they wish.....

      If Bluetooth had remained short range (like it was designed to be) then there wouldn't be a problem....

      1. Anonymous Coward
        Anonymous Coward

        British Standards Institute?

        How about one international standard (or one per region) instead of different local ones?

  15. Anonymous Coward
    Anonymous Coward

    "It is unpleasant knowing that others that you don't know are able to track you via Bluetooth. It never crossed my mind."

    Or they could, you know, look at you while you are walking around. I'm a bit surprised that people have an expectation of privacy on their whereabouts... while walking in public.

    1. John Brown (no body) Silver badge

      There's a huge difference between a person following or stalking an individual and Bluetooth beacons all over a city, possibly many from the same company, "knowing" exactly which shops you go into, when and how often.

      The fact that so few people realise this tracking can be done, and is happening, because "It never crossed my mind." is the worrying thing. This information is out there, it even makes the mainstream news every now and then. but it seems most people simply don't care enough to remember that until someone actually confronts them with cold, hard data. Simply telling someone that they can be tracked by BT, or online cookies, javascripts, off-site links to "assets" etc., etc., etc., and they might just possibly agree before it disappears from their mind again. Although it's more likely that in those circumstances, the vast majority will simply not believe or think it doesn't matter.

      And yet, what we do online can and does come back to haunt some. Just the other week, a guy standing for election was lambasted by the opposition for some unsavoury stuff he posted on Twitter in 2010, 11 years ago! Worse, he's only 26 now, so he was a hormonal 15 year old boy at the time of his "infringements" and quite clearly no longer holds those same view. (FWIW, he's standing for a party I really don't like, so I'm not defending his politics at all here.)

    2. imanidiot Silver badge

      Following and tracking a person without them noticing or at the very least feeling something is "off" is quite hard and few non-state level bad actors could perform such a thing for any extended amount of time. People are surprisingly unaware of their surroundings most of the time, but show up in their peripherals often enough and they start getting that funny "being watched" feeling. Bluetooth tracking however can be low effort, much easier to do and completely unnoticeable. Even just getting a 'ping' whenever the "target" passes by a certain location can be a big problem for the target.

    3. Jimmy2Cows Silver badge
      WTF?

      Re: "...It never crossed my mind."

      "It is unpleasant knowing that others that you don't know are able to track you via Bluetooth. It never crossed my mind."

      Seems like a severe imagination deficit. Especially given all the COVID-related tracking over the past year or so.

  16. tiggity Silver badge

    headphone jack

    Headphone jack on music playing devices means I don't need to use BT headphones.

    Never saw the point of BT headphones (in addition to security issues it drains battery more, can suffer interference etc.) - is a cord really that much of a hassle?

    1. Throatwarbler Mangrove Silver badge
      Holmes

      Re: headphone jack

      "is a cord really that much of a hassle?"

      Short answer: yes. While running or commuting, I encountered frequent snags with my wired headphones, causing them to get yanked out of the jack or fall out of my ears. Decent Bluetooth headphones (or even fairly crappy ones, like my $20 running pair) should not suffer from significant interference, nor do they suffer from damaged cords, which used to be the most frequent source of my old headphones' demise.

      YMMV, of course.

      1. John Brown (no body) Silver badge

        Re: headphone jack

        On the other hand, maybe my ears are a funny, non-standard shape or something, but jaw movements such as talking or eating always make earbuds fall out of my ears! That includes both cheap and expensive, both wired and wireless.

      2. This post has been deleted by its author

      3. techulture

        Re: headphone jack - snagging

        Well, the cord tends to snag on handles and knobs when I move about my kitchen. Anyway, the convenience of switching between physical jacks and the superior sound quality (call quality without the restrictions of Bluetooth headset profile; no transcoding; no codec support jungle) means my closed over the ears are my number one choice. I don't use headphones when exercising or bike commuting, I should add.

  17. heyrick Silver badge

    Aaaand....?

    So my Bluetooth headphones can probably be tracked. So what? You need to get to a distance of about 25-50 metres (practical experience says the 100 metres quoted in the article is "optimistic").

    Meanwhile my phone is happily reporting back location to the mothership. If you turn off GPS, which I do because it uses battery, then it'll try to locate using WiFi, cell masts, etc etc. This location (actual or approximate) is also shared with advertising platforms in Christ knows how many apps that are happily chugging along in the background, unless you have a phone with an actively hostile battery management system that will put the apps to sleep properly, like the OS should have done in the first place.

    If you don't want the risk of being tracked that way, don't use modern tech. There's always a Walkman and wired headphones if you need to listen to music when out (as somebody probably "on the spectrum", I find it a lot easier to go shopping with music, it helps to block everything else out).

    This, of course, isn't considering security cameras, facial or numberplate recognition, the use of electronic payment methods, and the various other ways people can be tracked. If you don't want to be tracked that way, don't go out. Or if you do, go out somewhere so technologically backward that they just about have reliable electricity.

    Me, personally, I don't actually care that much. I'm utterly uninteresting, just another worthless data point in millions. I live in the same place, work in the same place, shop in one of three places (mostly one), and as a committed introvert, I don't socialise. That's...pretty much my life. Really uneventful and boring, just how I like it.

    1. heyrick Silver badge
      Big Brother

      Re: Aaaand....?

      If you want a freaky bit of "tracking", ask Netflix for your personal data. It'll tell you it could take days, but in reality a couple of hours.

      You'll get a zip file with lots of files inside. A list of things you watched, things you rated, etc etc.

      Then you'll come across the enormous CSV file of user activity. Every time you pressed pause. Every time you backed up ten seconds. Did you do that to watch a pervy bit in a movie? Guess what, it got recorded.

      They must love my history. I have a tendency to stop watching partway through something to pick it up days/weeks later (if at all). Just, when I feel tired, or don't feel like carrying on. If they're analysing this crap, they will probably think that "The Uncanny Counter" is special because I watched it in order across several nights. Yes, it was good.

      Really ought to finish watching "Awake". I started late at night but was too tired to watch it all (oh, the irony).

      Anyway, every single thing you do gets sent back to the mothership. Betcha didn't know that...

  18. DrXym

    Another way to get better security

    Stop using wireless earbuds and reject phones that don't have a 3.5mm earphone jack.

    1. Anonymous Coward
      Facepalm

      Re: Another way to get better security

      @DrXym

      "Stop using wireless earbuds and reject phones that don't have a 3.5mm earphone jack"

      Yes you do that. They will just track your phone instead.

      1. DrXym

        Re: Another way to get better security

        Not necessarily since you may not need bluetooth on unless you have something to use with them. And phone security is going to be more advanced than the sort baked into some crappy earbuds.

  19. IGotOut Silver badge

    Meh...

    .. a stalker can track a location.

    Well, as you have to be near them in the first place and have a decent amount of technical knowledge, using your eyes is going to be far easier.

  20. Dan 55 Silver badge
    Meh

    tl;dr

    Guy on a wobbly bike stalking joggers from 50 metres behind by their Bluetooth MAC addresses publishes shock claims saying they can be stalked.

    Another guy on a wobbly bike stalking joggers from 50 metres behind can do the same thing but without any wardriving kit.

  21. Anonymous Coward
    Anonymous Coward

    So this 1 guy

    intercepted 1.7 MILLION messages in a Year? On a pushbike? I am calling bullshit. 1,700,000 divided by 365 = something like 4.600 a day.

    As I am absolutely no expert on the law, but is doing so even legal? And, did he let his victims know he was intercepting their messages?

    1. Little Mouse

      Re: So this 1 guy

      Think "network packets". Big numbers of those are definitely to be expected.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like