TY - GEN
T1 - Cross-app tracking via nearby bluetooth low energy devices
AU - Korolova, Aleksandra
AU - Sharma, Vinod
N1 - Publisher Copyright:
© 2018 Copyright held by the owner/author(s).
PY - 2018/3/13
Y1 - 2018/3/13
N2 - Today an increasing number of consumer devices such as head phones, wearables, light bulbs and even baseball bats, are Bluetooth-enabled thanks to the widespread support of the technology by phone manufacturers and mobile operating system vendors. The ability for any device to seamlessly connect and exchange information with smartphones via Bluetooth Low Energy (BLE) protocol promises unlimited room for innovation. However, it also brings about new privacy challenges. We show that the BLE protocol together with the Bluetooth permission model implemented in the Android and iOS operating systems can be used for cross-app tracking unbeknownst to the individuals. Specifically, through experiments and analyses based on real-world smartphone data we show that by listening to advertising packets broadcasted by nearby BLE-enabled devices and recording information contained in them, app developers can derive fairly unique “fingerprints" for their users, which can be used for cross-app tracking, i.e., linking pseudonymous users of different apps to each other. We demonstrate that privacy protections put in place by the Bluetooth Special Interest Group, Google, and Apple are not sufficient to prevent such fingerprinting or to make cross-app tracking difficult to execute. Our main contribution is to demonstrate the feasibility of cross-app tracking using nearby BLE and raise awareness that changes are needed in order to prevent it from becoming widespread. We also propose mitigation strategies to decrease the feasibility of tracking using nearby BLE devices while preserving the utility of the BLE technology.
AB - Today an increasing number of consumer devices such as head phones, wearables, light bulbs and even baseball bats, are Bluetooth-enabled thanks to the widespread support of the technology by phone manufacturers and mobile operating system vendors. The ability for any device to seamlessly connect and exchange information with smartphones via Bluetooth Low Energy (BLE) protocol promises unlimited room for innovation. However, it also brings about new privacy challenges. We show that the BLE protocol together with the Bluetooth permission model implemented in the Android and iOS operating systems can be used for cross-app tracking unbeknownst to the individuals. Specifically, through experiments and analyses based on real-world smartphone data we show that by listening to advertising packets broadcasted by nearby BLE-enabled devices and recording information contained in them, app developers can derive fairly unique “fingerprints" for their users, which can be used for cross-app tracking, i.e., linking pseudonymous users of different apps to each other. We demonstrate that privacy protections put in place by the Bluetooth Special Interest Group, Google, and Apple are not sufficient to prevent such fingerprinting or to make cross-app tracking difficult to execute. Our main contribution is to demonstrate the feasibility of cross-app tracking using nearby BLE and raise awareness that changes are needed in order to prevent it from becoming widespread. We also propose mitigation strategies to decrease the feasibility of tracking using nearby BLE devices while preserving the utility of the BLE technology.
UR - http://www.scopus.com/inward/record.url?scp=85050374891&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85050374891&partnerID=8YFLogxK
U2 - 10.1145/3176258.3176313
DO - 10.1145/3176258.3176313
M3 - Conference contribution
AN - SCOPUS:85050374891
T3 - CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy
SP - 43
EP - 52
BT - CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy
PB - Association for Computing Machinery, Inc
T2 - 8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018
Y2 - 19 March 2018 through 21 March 2018
ER -