The Bluetooth that we use every day on our devices has been exposed to several vulnerabilities in recent days. Last week we learned about BrakTooth , made up of 16 vulnerabilities that allowed hackers to block devices and run malware on mobiles, tablets, laptops, and headsets. Now the wireless standard faces another major vulnerability affecting our headphones.
The vulnerability has been discovered by a student at the University of Oslo named Bjorn Martin Hegnes . To do this, he made a 300-kilometer cycle route around Oslo for 12 days . On that route it carried an omnidirectional WiFi antenna that could detect Bluetooth signals at a distance of up to 100 meters . He also carried a GPS device that was associating the locations with the devices it detected.
The MAC address is not random on the headphones
With this system, Hegnes was able to collect 1.7 million Bluetooth messages , 9,000 transmitters, and 129 headsets . In the investigation, he found that none of the detected headsets implemented MAC address randomization, allowing him to easily locate those wearing the devices.
Device MAC addresses are unique and cannot be changed. In fact, it is illegal to change them, and for this reason the randomization system is used to preserve the anonymity of users from those who detect the device to connect. However, if it is not implemented, then it is possible to monitor all the locations that are detecting that MAC address , since, for example, Bluetooth headsets are “shouting” it wherever they pass.
Hegnes claims that he had 21 different data points from a person in his class, where he was able to determine where his apartment was, as well as which coffee shops and supermarkets he visited.
The NSA did this with mobiles
This type of spying technique was used by the NSA to do just what Hegnes has done with mobiles. This was known thanks to the leaks of Edward Snowden, and for this reason the mobile manufacturers began to randomize the MAC addresses. However, in devices such as Bluetooth headphones this is left to the manufacturer, and practically no one does.
Thus, even if you carry your mobile in airplane mode or have all the protection systems active, having a Bluetooth headset turned on can allow a hacker to track you around an entire city. Imagine that you are alone with a person who has the app on their mobile and collects the MAC address of your headphones. Later, you can go around town collecting MAC addresses, and find out where yours has been found to find out where you live.
To map an entire city, the only thing Hegnes used was the WiGLE app, which is on the Play Store on Android. The app is responsible for collecting all the information that is around, and its setup to capture data only cost about 300 euros.
As a recommendation, it is important to change the name of the Bluetooth and not use proper names, as well as avoid using those that do not randomize their MAC addresses. Thus, for safety reasons, it is advisable to use wired headphones in this case.
