The popular Bluetooth Low Energy (BLE) beacon protocol isn't just a privacy risk up close – it can spaff your phone's or wearable's movements and security information from a decent distance, and make you trackable.
BLE best practice is to provide at last a minimal amount of user ID masking – not too much or iBeacons would be useless to advertisers – but even this is ignored, according to a scan conducted by Context Information Security.
As the company's Scott Lester describes here, that randomisation is either badly implemented or ignored completely in everything from cheap wearables up to iPhones. As a result, all that's needed to stalk a BLE owner is a smartphone and an app. The Bluetooth special interest group outlines the “best practice” here, but Lester found that the “random” addresses either remained fixed to the particular device, or make a hash (sorry) of their “randomisation”.
“We've seen some devices that are clearly changing their MAC address for successive advertising packets. They are sometimes easy to identify as they have a counter that increments the last few bytes of the address, and often send out constant identifying information”, he writes. The security firm also pointed out that BLE as a technology has been in use by smartphones running back to Android 4.3 (Jelly Bean) and above, Windows 8 and 8.1 as well as Blackberry 10.
It was also noted that while BLE's supposed to have a mere 50 metres range – still a decent distance if you wanted to track your CEO's movements – if you're willing to fool around with a directional antenna you can do much better than that. In previous work, he's multiplied ordinary Bluetooth's 100m-range by eight, and there's no reason similar results couldn't be achieved with BLE. Hence an hour around Canary Wharf let him identify “26 FitBits, two Jawbones, a couple of Nike products, one Estimote iBeacon (we're not sure where) and an Alcatel Pop C5, and a lot of iPhones”.