Bluetooth Low Energy (BLE) – Surveillence Wet Dream

Have you come across Bluetooth Low Energy (BLE) or Bluetooth Smart lately? No? Then you should get informed. BLE is every surveillance agency’s wet dream come true and has been rolled out massively since its standard was published some 10 years ago. BLE is a kind of extension to classic Bluetooth for low energy applications, like remote sensors, remote controls, so called beacons etc. The concept is to have ubiquitous devices connectable by radio that can sit there for weeks, months and sometimes even years living just from a small battery, like a coin cell. Built into this technology is the capability to pretty well measure the signal strength of ongoing communication. All of that is happening in the well known 2.4GHz ISM frequency space.

There is just a “minor” problem with that and it is totally beyond me why it has been made this way. The way it is standardized and implemented gives room for quite some conspiracy theories. With classic Bluetooth the way you would work with a device is, the device is brought into a so called discoverable mode where it advertises itself. In this mode other devices can see it and initiate a connection or so called pairing process. During pairing both devices remember each their unique address (MAC address) and also optionally negotiate an encryption key. Once this is successfully done none of the two needs to be discoverable anymore, they can always connect to each other based on the previously negotiated pairing.

Now with BLE things are different. BLE devices must make themselves visible all the time to be connectable. So even if you did some form of pairing, and there are BLE security levels that allow a kind of pairing and encrypted communication afterwards, a device still needs to advertise itself with short beacons so that it can be connected to. There are several ways how to advertise itself but most of them are publicly visible! And this includes the device MAC address which is, by definition, unique to a device. There are ways to hide this a bit, which is called a “directed advertise”, then the device will only advertise itself to another device by directing its advertisement to this device. But guess what? Basically no device does this.

If you own an Android device I would recommend installing “BLExplorer” and placing yourself with your phone in some public space, like a mall or such. You will see dozens of BLE devices popping up and going away. Many of them you can connect to even if not paired with (or ‘bonded’ how it is sometimes called). You can query some device information like its name and often quite a lot more. What you will also see with BLExplorer is the signal strength in dBm, a kind of measure of the received radio signal’s energy.

The 2.4GHz spectrum is a bit complicated. Waves can be swallowed by a lot of objects, especially anything that is wet (like trees), they can bounce off walls or penetrate etc. So a single dBm reading does not tell you that much in terms of positioning that sender. It could be close or not so close, it could be next to you or on the other floor below or above etc. But if you don’t look at it with just a single receiver but use a bunch of them, then you can pretty exactly triangulate the position of a specific device and watch it move around. And since BLE devices usually advertise themselves every couple of seconds you can get a pretty accurate movement profile. And since the MAC address is unique to a device you can assume that a specific MAC address is associated with a person, with one person.

Here you go, mass movement tracking surveillance made simple by BLE!

And we idiots are carrying around these tracking devices everywhere and all the time, most notably the “smart watches” or “fitness trackers”! These do not track your fitness, these track you! All the time! And you can’t do anything about it except for ditching these devices. In most of these devices you even can not disable the advertisement. By enabling some kind of flight mode you can in some but then you loose all the “smart” features. And in some cases they are even advertising themselves when being switched off! Like this guy:

iZettle Reader 2

This is the iZettle Reader 2, a small pocket terminal for credit or debit card acceptance. It has a power button and you can actually turn it on or off but even when it’s off it is still advertising itself! Totally crazy. I do own such a device and was baffled when I ran BLExplorer and saw a device near me that I had no idea what it could be. I connected to it and read its device information and it was publicly readable and said “card reader 2”. It took me another half hour to figure that this was indeed something in my house but one floor below. The only way to “hide” it is to put the whole device into a kind of Faraday cage.

I mentioned fitness trackers already, which I would consider dangerous since these are usually worn by a person all the time and can be used to directly pinpoint and track a person’s movements. But there are also other interesting “smart” devices, like home automation. Quite some folks use cheap BLE based devices e.g. as sensors. There are e.g. the cheap Xiaomi Miija sensors for about $10 like these:

You place them somewhere and anyone in the vicinity can read them too. Or even more interesting heating thermostats. I just got myself a bunch of these:

Eqiva eQ-3 BLE Thermostat

What shall I say? The pairing they offer is totally fake, it does nothing and anyone close enough can see them, connect to them and worst even control them! Imagine a malicious attacker standing on your door step. An attacker could see at least a couple of these installed in your home. At any time an attacker could disable the preset, go to manual mode and turn them all the way up or down. This can be a real threat and risk! Imagine in a deep freezing winter, you are not at home and someone disables all your heaters. Everything will freezes, eventually water pipes will burst etc. Or an attacker cranks all thermostats to 100% all the time and you are not there! This could dramatically increase your heating bill and even also cause damage to your home.

There are a bunch more devices that advertise themselves and which could be harmful. Quite some home entertainment devices these days include BLE for remote control. This is convenient, low energy and they don’t need line of sight anymore like the infrared remote. But of course this makes them vulnerable. Even more so since most devices advertise themselves with their brand and device type! So I can tell e.g. that my neighbor owns a Samsung 55″ television! Why? Because I see it in my BLE scan and it’s for sure not mine. The NVidia Shield TV does the same thing etc. etc. So war driving through an apartment complex will quickly give you an overview of the installed devices. Using a couple of BLE receivers you will quickly be able to pinpoint the apartments with the most interesting stuff in them. It’s like window shopping for tech burglars!

Where classic Bluetooth was already considered a bit of a risk, compared with BLE and its real world implementations classic Bluetooth seems like Fort Knox. BLE is a huge risk, for your privacy and even your home.

My advice: Install a BLE scanner, scan yourself, your home and your office. Try to eliminate as many BLE devices as you possibly can and for the others, be aware that they are there and that these are a potential risk. Be aware of the risk and mitigate as good as you can – only turn it on when necessary, hide it when possible etc.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert