Bluetooth Low Energy Privacy (MAC randomisation)

[juliman77]

• [X] I searched for similar feature request and found none was relevant.

Pitch us your idea!

I want PineTime Bluetooth MAC address to change periodically.

Description

Bluetooth and Wi-Fi scanning is widely used by Apple and Google to improve location services as an alternative to GPS geolocation. This works on smartphones by periodically sending aforementioned companies a list of discoverable Wi-Fi SSIDs and Bluetooth MACs that are in scanning range. In practice, this means that while PineTime's Bluetooth MAC is static and there are any smartphones of non-privacy-conscious users (e.g. a fellow passenger on the bus) in range with the Bluetooth scanning enabled, it is trivial for Apple & Google (and whomever this information is sold to or shared with, legally or not) to build an extensive profile of such PineTime user’s movements.

The NimBLE stack supports Bluetooth LE privacy:

LE Privacy 1.2 for frequent changes to the device address to make it difficult to track for outsiders

I propose adding this important feature to protect PineTime users from global location tracking by third parties.

[Avamander]

• Uncovering Privacy Leakage in BLE Network Traffic of Wearable Fitness Trackers - http://phpathak.com/files/hotmobile-fitness.pdf

• Protecting Privacy of BLE Device Users - https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_fawaz.pdf

• Bluetooth: With Low Energy Comes Low Security - https://www.usenix.org/conference/woot13/workshop-program/presentation/ryan

Here's a few resources on the topic from the Pine64 Wiki.

[tmilburn]

My understanding is that Google only uses WiFi SSIDs (and even then you can sort of opt out https://support.google.com/maps/answer/1725632?hl=en-GB#zippy=%2Chow-do-i-opt-my-access-point-out-of-google-location-services) and not BLE although I would be interested to see any source that claims otherwise.

Personally I find MAC randomisation pointless. You can easily track BLE advertising devices because

1. Each device has unique characteristics in the advertising packet other than the MAC address (just track the one device in the vicinity that is advertising as InfiniTime)
2. The change of MAC address is easily detected for a device scanning all the time. You see one MAC address appear at exactly the same time as another appears
3. With more sophisticated equipment you can track a device using the angle of arrival of the bluetooth signal
4. With even more sophisticated equipment you can track a device using the slight variations in transmit frequency

In summary if you want to be private then you should simply turn all wireless comms off.

[kieranc]

I believe that this will be implemented along with secure pairing, we have to make the watch understand BLE MAC randomisation in order to securely pair with a phone which randomises its MAC (all of them) so at that point it should either be done, or trivial to implement.

[juliman77]

My understanding is that Google only uses WiFi SSIDs (and even then you can sort of opt out https://support.google.com/maps/answer/1725632?hl=en-GB#zippy=%2Chow-do-i-opt-my-access-point-out-of-google-location-services) and not BLE although I would be interested to see any source that claims otherwise.

Here is a quote from an article claiming to have analyzed Android device traffic via capturing their Wi-Fi hotspot traffic:

According to our analysis of the phones’ transmissions, this is just some of the information that gets periodically sent to Google’s servers when Location History is enabled:

• The MAC address, identifier, type, and two measures of signal strength of every nearby Bluetooth beacon

Source: https://qz.com/1183559/if-youre-using-an-android-phone-google-may-be-tracking-every-move-you-make/ See also: https://qz.com/1169760/phone-data/

Personally I find MAC randomisation pointless. You can easily track BLE advertising devices because

1. Each device has unique characteristics in the advertising packet other than the MAC address (just track the one device in the vicinity that is advertising as InfiniTime)

This can be trivially mitigated by changing advertised device name to make it similar to a popular fitness band. It can even be randomized and displayed in the settings screen. Certainly not a reason to abandon the effort. Also, the device could probably not advertise itself when it is already paired. This might be configurable via a switch in the settings screen (Discoverable: on/off).

2. The change of MAC address is easily detected for a device scanning all the time. You see one MAC address appear at exactly the same time as another appears

This might be a valid point that warrants deeper research. However, I do not believe this to be a valid reason to leave the PineTime absolutely effortless to track as it is now.

3. With more sophisticated equipment you can track a device using the angle of arrival of the bluetooth signal
4. With even more sophisticated equipment you can track a device using the slight variations in transmit frequency In summary if you want to be private then you should simply turn all wireless comms off.

The issue here is not escaping (targeted?) surveillance with sophisticated equipment, but to stop giving away data "for free" with zero effort for BigData companies via smartphone-powered crowdsourced data mining. Just because any door can be broken with enough effort doesn't mean you shouldn't have one in your home.

[hannesrauhe]

Personally I find MAC randomisation pointless. You can easily track BLE advertising devices because

1. Each device has unique characteristics in the advertising packet other than the MAC address (just track the one device in the vicinity that is advertising as InfiniTime)
2. The change of MAC address is easily detected for a device scanning all the time. You see one MAC address appear at exactly the same time as another appears

Both statements are misleading. In the last weeks I used a raspberry to track my bluetooth devices. I have two Pinetimes and two Apple Pencils at home. All 4 advertise their generic name (Infini Time and Apple Pencil) but the Apple Pencil randomizes the mac address. Once the apple pencil gets out of range it is impossible to say which one comes back. You might be able to identify them, but only if you keep it in range at all times. I have no problem identifying which InfiniTime is which even after days of being out of range. With the simple device like the raspberry I cannot distinguish the charecteristics of these devices other than the name.

I agree that for total privacy you have to turn off wireless, but if you just don‘t want to stop the next door neighbour from tracking you, mac randomization is an easy win.