Handoff All Your Privacy: A Review of Apple's Bluetooth Low Energy Implementation
share
In recent versions of iOS, Apple has incorporated new wireless protocols to support automatic configuration and communication between devices. In this paper, we investigate these protocols, specifically Bluetooth Low Energy (BLE) "Continuity," and show that the price for this seamless user experience is substantial leakage of identifying information and users' behavioral data to a passive listening adversary. We start by reverse engineering Apple's proprietary protocol and identifying a number of data fields that are transmitted unencrypted. Plaintext messages are broadcast over BLE in response to user actions such as locking and unlocking a device's screen, using the copy/paste feature and tapping the screen while it is unlocked. We also demonstrate that the format and contents of these messages can be used to identify the type and OS version of a device. Finally, we show how the predictable sequence numbers of these frames can allow an adversary to track iOS devices from location to location over time, defeating existing anti-tracking techniques like MAC address randomization.
READ FULL TEXT