People are increasingly aware of, and concerned about, security — in particular, their privacy in both the physical and the digital world. The term privacy alludes to various types of issues, depending on the context. One privacy issue concerns the possibility of being tracked where you go in the physical world without your awareness or consent. Where you go could mean the places you drive or the route you walk.
There is a capability within Bluetooth® technology concerned with safeguarding your privacy as it relates to any physical route you travel. This capability has been available since the release of Bluetooth® Core 4.0. We’ve recently made some improvements to it in Bluetooth® Core 4.2.
First, let’s examine the issue. To illustrate the risk of being tracked, we will first look at an example involving issues concerning wireless connectivity and privacy that potentially could happen today.
Imagine spending a day in various parts of your local town or city, visiting shops, having lunch with a friend, and seeing a doctor before returning home. Your smartphone is in your pocket, helping you navigate your day. If you have been using a hotspot to gain high-speed access to the web, chances are your phone has been broadcasting its MAC address to connect to those wireless networks. The MAC address is synonymous with your phone — and potentially you — and goes with you as you travel. It is possible for malicious devices, hidden away in the environment, to receive these messages and log the date, time, location, and MAC address in a remote web server. All that needs to be done now is link the MAC address to your personal identity, and that’s it…you are being tracked.
Bluetooth® technology, on the other hand, is different.
Bluetooth peripherals, such as activity trackers, announce their presence to other devices through a process known as advertising. Bluetooth advertising packets also contain a MAC address to identify the device. To safeguard user privacy, manufacturers can make use of a Bluetooth feature known as Bluetooth® LE Privacy. This feature causes the MAC address within the advertising packets to be replaced with a random value that changes at timing intervals determined by the manufacturer. Any malicious device(s), placed at intervals along your travel route, would not be able to determine that the series of different, randomly generated MAC addresses received from your device actually relates to the same physical device. It actually looks like a series of different devices, thus, it will not be possible to track you using the advertised MAC address.
When Bluetooth® LE Privacy is in use and advertising packets contain randomly generated MAC addresses disguising your device’s identity, the real MAC address remains hidden away. But what use is this if the outside world sees your device as having a different address?
The answer lies in the Bluetooth pairing process — Bluetooth® users are familiar with this process. Pairing indicates you trust the other device and want to interact with it. For example, if you pair your activity tracker with your phone, from that point on, the phone will have a special, trusted relationship with the tracker. What happens is much more involved, but after pairing, the two devices will possess various encryption keys, one of which is concerned with privacy. This key is called the Identity Resolution Key (IRK). IRK allows the first device to translate those special, random MAC addresses which appear in the advertising packets from the second device to the real MAC address in the second device. This capability is only in devices you have explicitly trusted.
Everything I have described about Bluetooth privacy so far has been in place since the first release of Bluetooth® Core 4.0 of the core specification. So, what changed in Bluetooth® Core 4.2?
In general, those random, private MAC addresses change according to a timer that the manufacturer implements in their product’s firmware. As such, they know exactly how often the MAC address will change. But there is one special situation designed to make it possible for devices that have previously connected with each other to reconnect really quickly, where that timer is not used.
Devices may perform something known as directed advertising. In directed advertising, the advertising packets indicate both the MAC address of the device doing the advertising and the MAC address of the device being advertised to. This is like sending an invitation to a specific device with which you have had a previous relationship, saying, “Hey, if you’re there, please reconnect to me!” The MAC address used by the advertising device is a random address if Bluetooth LE privacy is in use, but, for this situation, it is a special type of private address called a reconnection address. Reconnection addresses differ from the private addresses used in other circumstances in that they do change, but not by a timer. Instead, a user’s actions, like switching the device on and off or establishing a new connection, trigger the change of address. In order to provide manufacturers more options, Bluetooth® Core 4.2 now allows private reconnection addresses to also change to a new, random address using the same timer-based mechanism so manufacturers have complete control over how their product behaves with respect to privacy and private addresses.
Resolution of private addresses using the cryptographic IRK key back to the device’s real MAC address is now much faster and much more power efficient because it takes place in the controller and not the host in the Bluetooth® architecture.
All in all, with the release of Bluetooth® Core 4.2, we’ve made Bluetooth privacy both smarter and faster!
