Cross-app tracking via nearby bluetooth low energy devices

Aleksandra Korolova, Vinod Sharma

Research output: Chapter in Book/Report/Conference proceedingConference contribution

24 Scopus citations

Abstract

Today an increasing number of consumer devices such as head phones, wearables, light bulbs and even baseball bats, are Bluetooth-enabled thanks to the widespread support of the technology by phone manufacturers and mobile operating system vendors. The ability for any device to seamlessly connect and exchange information with smartphones via Bluetooth Low Energy (BLE) protocol promises unlimited room for innovation. However, it also brings about new privacy challenges. We show that the BLE protocol together with the Bluetooth permission model implemented in the Android and iOS operating systems can be used for cross-app tracking unbeknownst to the individuals. Specifically, through experiments and analyses based on real-world smartphone data we show that by listening to advertising packets broadcasted by nearby BLE-enabled devices and recording information contained in them, app developers can derive fairly unique “fingerprints" for their users, which can be used for cross-app tracking, i.e., linking pseudonymous users of different apps to each other. We demonstrate that privacy protections put in place by the Bluetooth Special Interest Group, Google, and Apple are not sufficient to prevent such fingerprinting or to make cross-app tracking difficult to execute. Our main contribution is to demonstrate the feasibility of cross-app tracking using nearby BLE and raise awareness that changes are needed in order to prevent it from becoming widespread. We also propose mitigation strategies to decrease the feasibility of tracking using nearby BLE devices while preserving the utility of the BLE technology.

Original languageEnglish (US)
Title of host publicationCODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy
PublisherAssociation for Computing Machinery, Inc
Pages43-52
Number of pages10
ISBN (Electronic)9781450356329
DOIs
StatePublished - Mar 13 2018
Externally publishedYes
Event8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018 - Tempe, United States
Duration: Mar 19 2018Mar 21 2018

Publication series

NameCODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy
Volume2018-January

Conference

Conference8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018
Country/TerritoryUnited States
CityTempe
Period3/19/183/21/18

All Science Journal Classification (ASJC) codes

  • Computer Science Applications
  • Information Systems
  • Software

Fingerprint

Dive into the research topics of 'Cross-app tracking via nearby bluetooth low energy devices'. Together they form a unique fingerprint.

Cite this