People at risk such as stalking victims, executives, VIPs, security staff, defense/aerospace and other at-risk device users should consider risks involved in typical wireless use patterns. The proliferation of BYOD, wearables and IoT devices in everything from alarm clocks to utility meters increases the attack surface. Google does not include WearOS in the Android Security Rewards bounty program. State-level actors consider the value of broad swaths of population collection as well as high-value targets. The CDC 2012 National Intimate Partner and Sexual Violence Survey NISVS notes that about 11% of the US population have been stalking victims.
Popular media has depicted “burner phones” as a tactic to avoid tracking. Burner phones can be associated with a victim for subsequent attacks when the attacker knows they’re in proximity of the victim and the victim has the burner phone on. At-risk users should consider the risks of having Bluetooth and WiFi enabled. The attacker typically has the advantage of time, and can patiently pwn the weakest victim device and escalate from there. Subtle and practical attacks are ever evolving. Security by proximity is also not secure. Sniffing devices can be left behind inside innocuous devices such as power strips.
While recent standards including Bluetooth 5 and WiFi 6 / WPA3 include substantial security benefits over earlier standards, devices often implement the standards imperfectly across their firmware / software stacks. Devices wirelessly beacon surprisingly useful to the attacker information. The attacker knowing the victim’s device type can implement a spear phishing attack–perhaps a text message pretending to be from the victim’s employer or wireless carrier with a link to a zero-day exploit.
Signal strength can pinpoint a user’s location even in a crowd. Two meters of separation between victim devices can be detected from an attacker over 15 meters away. The typical victim has a plethora of vulnerable devices including smart TVs, pre-WPA3 WiFi networks, Bluetooth speakers and WiFi security cameras with old firmware. Multiple WiFi APs in the victim’s vicinity, made popular by consumer WiFi mesh networks provide an effective radar to track the victim’s approximate location in a home or office by a passive attacker.
Wireless energy knows no borders, with maximum range limited by the inverse square law and obstructions. Microprocessors with weak encryption to save computation / energy and lack of OEM liability leave little supply-side motivation to fix these personal and national security risks.
Bluetooth speakers as found in home or office typically have auto-pairing. This allows that when no paired device is in range, anyone can pair with the speaker without physically touching the speaker. It would be then trivial to monitor the audio input in headset mode (most of these speakers have microphones for two-way audio) without the victim knowing they’re being listened to. Suppose the attacker walks down a street listening for auto-discoverable HSP devices, whether speaker or headphones or other device with microphone. Many neighborhoods have lots of these HSP devices left on 24/7, which can be used to determine user occupancy patterns, travel plans and other confidential victim information.
Bluetooth Low Energy
Bluetooth Low Energy (BLE) is quite distinct from legacy Bluetooth despite the name. technical characteristics: BLE has three advertising channels at 2402, 2426, 2480 MHz, picked to be between WiFi channels for best interference-free range plus 37 data channels. A common attack vector of legacy Bluetooth and BLE is when the attacker hears pairing and trivially cracks the key. The attacker can then at any time force unpairing, masquerade the connection and take unwanted actions such as crash the device wirelessly or passively eavesdrop.
Maximum range of detecting BLE is typically 1 km with $20 antenna. Without special antennas, small BLE devices are typically detectable to 50 meters or so. Inexpensive attacker devices like Ubertooth enable passive monitoring of already paired devices (as with Wifi) based on periodic updates (100ms to 10sec).
Android “Smart Lock” is good for attackers, not victims. If connection can be intercepted and masqueraded, an attacker can physically obtain the unlocked device, install malicious software and return the device undetected. Corporate device policies and end users should consider blocking this. Windows has a similar feature where Bluetooth-connected device is used to imply user proximity.
Suppose the attacker passively sniffs the victim MAC/UUID and learns the BLE simple channel hopping pattern. BLE channel hopping pattern is trivially predictable and the UUID is in the clear. The CRACKLE BLE attack enables an attacker to jam the victim BLE wearable, breaking connection and leading the victim to re-pair the wearable (which is the point of vulnerability). The attacker can crack the pairing exchange and then implement passive monitoring or access email, text, phone, calendar, fine location, apps, etc. from 10-100 meters distance from victim.
WiFi devices including wearables, smartphones and laptops beacon several times per minute the WiFi SSIDs they’ve previously connected to, including hidden SSIDs. The probe beacons reveals the device MAC as well. Operating systems for mobile devices and computers have generally implemented user option to rotate random device WiFi MAC addresses. A user may disable this random MAC address without realizing the security implications. Even with random MAC, the victim beacon/probe signal strength can still be used as a means to track the victim’s proximity and approximate location.
Homes with smart TVs, WiFi security cameras and baby monitors typically use obsolete pre-WPA3 WiFi networks with weak protocols such as WEP, WPA or WPS. Cheap security cameras often have unencrypted or weakly encrypted password exchange. Once the Wifi password is cracked, the attacker can then exploit the typically insecure WiFi devices throughout the modern home or office. The victim attempted to secure their home with surveillance, but made themselves substantially less secure against wireless attacks.
- HP Fortify Internet of Things smartwatch vulnerability report and press release
- M. Breiding, et al. National Intimate Partner and Sexual Violence Survey, CDC United States, 2014: Prevalence and Characteristics of Sexual Violence, Stalking, and Intimate Partner Violence Victimization
- A. Musa, J. Eriksson, SenSys Nov 2012: Tracking unmodified smartphones using Wi-Fi monitors
- D. Namiot, M. Sneps-Sneppe, CFIC Coimbra 2013: Local messages for smartphones
- M. Cunche, Confiance Numerique, Mar. 2014: Wi-Fi told me everything about you
- Bluetooth core specification
- M. Ryan, Blackhat 2013: Bluetooth smart: the good the bad the ugly
- National Security Agency: Bluetooth Security for Unclassified Use