One more day, one more vulnerability discovered this time in a protocol that equips basically any modern electronic device: the Bluetooth.
The research, carried out by Boston University and published by ZDNet, shows that various devices equipped with Bluetooth can be tracked and identified by malicious agents via public communication channels. All Apple products with Bluetooth, such as Macs, iPhones, iPads and Apple watchesmay be potentially affected, as may Microsoft. Smartphones and tablets Android, on the other hand, are immune to the problem.
What researchers David Starobinski and Johannes Becker found was that the prevention technique adopted by the Bluetooth protocol to prevent traces can be circumvented by malicious agents. Basically speaking, Bluetooth uses an infinite series of periodically changing random MAC addresses to establish communication between two devices; These addresses, however, are not changed in sync on both devices, which allows the agent to create an algorithm capable of tracking communication networks.
The algorithm requires no encryption or security breach of the Bluetooth protocol: it simply analyzes the MAC addresses exchanged between the two devices, which are publicly available, and interprets them so that it is possible to infiltrate the communication network between them. Once inside the network, the malicious agent can monitor one of the devices, including tracking their usage and capturing files.
The researchers' proof of concept was done with devices running iOS, macOS, and Windows, but basically any modern Bluetooth enabled device is vulnerable to the problem with the aforementioned exception of Android devices. This is because the little robot system uses another form of communication between Bluetooth devices, looking for close communication protocols instead of sending own MAC addresses to establish a network.
It is unclear whether the breach has ever been used in the real world to spy on devices, and no company, including Apple or Microsoft, has yet commented on the issue. The researchers' original article, however, provides very practical ideas on how to correct the vulnerability. It is therefore expected that companies will issue security updates quickly to address the issue. Let's wait.