And at whose behest, if so. Yeah, I wear a tinfoil hat 24x7.
A team of US academics have proposed a simple method to defeat the Bluetooth LE standard's anti-tracking measures. David Strobinski, David Li, and Johannes Becker at Boston University told The Register how they found that the MAC randomization system of Bluetooth LE, designed to thwart the tracking of devices, transmits …
I was the second person to downvote you, seconds ago, and the reason was you posted anonymously while decryng anonymity. If you had posted that under your username then I wouldn't have downvoted you.
I could explain every downvote I make - very few, mostly upvotes all round - but that would be boring for everyone else. You were downvoted this time for hypocrisy on anonymity - no offence, just so you know.
MACs are supposed to be unique, yes, because networks can't deal with (some exceptions apply) duplicate MACs. That's how they're designed. However, why does my MAC have to be globally unique instead of just unique on my network? And why does it have to be the same unique value when it's on my network and when I've connected to your network?
Some things need to be globally unique, so people can find or at least recognize that specific thing when it appears. Others don't. Given that a MAC is essentially a random number, telling you only what manufacturer built the device (which you don't need to know because it doesn't tell you anything you need), there is no major benefit obtained from keeping that MAC or using a random one, unless you somehow connect to a network with another device that has simultaneously decided to use the same randomized number.
No, the real flaw is fundamental and not unique to Bluetooth. It's a nigh-intractable problem: how do you maintain a dialogue (a two-way communication) without one or the other being able to be identified simply by tracking the communique itself? Think of it like envelopes. How does one expect a reply without posting a return address? That's the reason most privacy-oriented communications are one-way and employ passive listeners. But that necessarily introduces inefficiencies: a killer for devices with very little power.
Even harder. Timing or location channels allow you to get some meta data from it.
Like, in the envelope example. If you know the route of collection from post boxes, you can guess someones location to that street, because the letter turns up in the post van the same time every day/week.
You can find out where it's been, because here the sending branch/recivined branch might stamp the letter as received by the van.
The sender might send less letters when it is raining. Or when they are on holiday.
So even without opening it, you can gain some info. Though sometimes it's just noticing what type of paper is used. :P
One WiFi privacy tool I use on my phone uses the GPS to ascertain if you are near a known network or not before it attempts to connect. (Rather than the usual practice of constantly broadcasting and looking for a known network)
Perhaps something like that could be applied to Bluetooth. (Of course, all the privacy-invasive things people like to use Bluetooth for - like retail BT beacons and such, would stop working. A feature, not a bug..)
I've long thought devices should stop sending packets asking for the networks they know--they could instead listen for broadcast SSIDs which get announced anyway. This would at least solve the problem of devices that always respond yes no matter what SSID was requested and the other problem where devices can be fingerprinted based on the SSIDs they ask about. I'm not quite sure why WiFi decided to go the other way.
Why does a third party, broadcasting using Bluetooth, need to know anything about me and my mobile phone?
As an example, when I buy a copy of an (old fashioned) newspaper, do the advertisers in the newspaper need to know my name or my location?
In the case of Bluetooth, we HAVE NO IDEA AT ALL about the data transmitted off my mobile phone. Why should Bluetooth not be just as anonymous as a copy of The Sun newspaper. Why do you think that anonymity is a problem? Perhaps you work for the STASI? Perhaps you are just a nosy parker? Or maybe you just don't understand that some people actually value their privacy....until they consent to be identified.
Signed: Anonymous Coward
There are a few obvious problems with anonymity, such as it's easily astroturfed. That's why when I speak out in favour of anonymity I put my name to it. To portray me as anti-privacy is silly. My surname isn't really 2, and I trust El Reg more than I trust the readers of El Reg. No offence.
There are obvious tech reasons why a unique identifier on any network was useful; there are obvious socio-political reasons today why it is dangerous. This article isn't about whether MAC addresses should be spoofed or not, it is about a flaw in one corporations spoofing. DIY.
"This article isn't about whether MAC addresses should be spoofed or not, it is about a flaw in one corporations spoofing."
But the thing is, the flaw behind the flaw is that it's fundamentally very HARD to anonymize a two-way communication. Meaning it's probably not just the implementation that's flawed but rather the whole concept is a problem from the start.
I’m good thanks.
If I need it for something, like .01% of the time I use the device, I’ll turn it on. Then immediately turn it off...
Question: Is Google a member of the group that contributed to the Bluetooth standard? Microsoft? My bet is yes...
It’s better to be paranoid... it’s usually the right call.
Biting the hand that feeds IT © 1998–2019