Researchers at Context Information Security (Context) in the UK have expressed privacy concerns about the increasing number of devices using Bluetooth Low Energy (BLE).
This article is an abridged version of the article published in the premium content "Computer Weekly Japanese Edition July 1st" (PDF). The full text of this article can be read with the same premium content.
We also offer EPUB and Kindle (MOBI) versions of the same content.
BLE is a low power consumption version of Bluetooth established by the Bluetooth Special Interest Group (SIG), which aims to continuously transmit signals with very low power consumption. Not compatible with traditional Bluetooth, it was developed as a personal wireless technology to quickly detect devices.
Typical personal devices with built-in BLE include mobile phones, Apple's "iBeacon", and wearable devices. Wearable devices are increasing in number day by day, primarily using BLE to communicate with mobile apps to monitor people's behavior, exercise and heart rate.
Context researchers have developed their own app to show how easy it is to capture, monitor, and record BLE signals.
A week before the company released its research report, China banned the PLA from wearing Internet-connected wearable technology. The BBC reported that the Chinese military newspaper pointed out that all wearable technologies capable of processing and transferring data could track individual soldiers and leak military secrets.
Scott Lester, senior researcher at Context, said at a symposium at Oasis, a US security firm in London: "Fitness devices are constantly disseminating information, and while this dissemination characterizes the device's personality, many people wearing fitness devices are unaware of it."
"Even cheap hardware and smartphones may be able to identify and locate unique devices owned by celebrities, politicians, and business executives within 100 meters of the outdoors."
"This information could be used for social engineering as part of a planned cyberattack, or a real crime could be committed by understanding people's behavior."
According to Lester, BLE uses MAC addresses like any other network protocol. Almost all BLE devices are assigned a random MAC address, but Context research found that in most cases the MAC address did not change.
"The fitness recording app I'm using hasn't changed with the same MAC address since I started the survey. I used up the battery once, but the result was the same," he said.
In addition, the packet sent may include the device name (such as "Garmin Vivosmart # 12345678") or the user name (such as "Scott's Watch").
The number of mobile phones that support BLE is increasing. "IOS 5" or later, "Windows Phone 8.1" "Windows 8" "Android 4.3" or later, "BlackBerry 10" supports BLE.
The Bluetooth SIG predicts that by 2018, more than 90% of Bluetooth-enabled smartphones will support BLE. Meanwhile, the number of Bluetooth-enabled cars is expected to reach 50 million.
According to Lester, iBeacon, already in place at the Apple Store, sends BLE packets to locate and tailor notifications to customers visiting the store. British Airways and Virgin are also using iBeacon in their boarding pass apps to give passengers visiting the lounge their Wi-Fi passwords.
How to Write a Bill of Sale for aCar https://t.co/phgagzfNZQ
— Yograj pandeya Wed Jun 02 21:07:46 +0000 2021
The House of Fraser in the UK is using iBeacon on a mannequin on a trial basis to allow customers to see how their clothes are worn and their prices on their smartphones.
iBeacon's current model keeps it from becoming active. In other words, the app that supports iBeacon needs to detect and respond to the beacon.
"But it's easy to imagine that mobile phone makers will offer products that come pre-loaded with iBeacon-enabled apps, so you can just pass in front of a particular store and have your mobile phone in that store. Information about the sale will be displayed, "Lester said.
4.2, the current version of the Bluetooth core specification, stipulates that BLE implements public key cryptography so that it can support various authentication methods while keeping the packet size small.
"Many BLE devices don't support authentication, and many of the products we see don't implement encryption, which can significantly reduce battery life and make applications more complex. That's because, "says Lester.
According to him, BLE is a powerful technology and it is clear that it will be used more and more widely.
"The ability to detect and track devices may not pose a serious risk, but there is certainly the potential for it to threaten privacy and be part of a broader social engineering threat. This shows that companies rushing to launch products with new technologies aren't paying close attention to security. "
Devices that use BLE are also thought to have played a part in the rapid growth of the IoT (Internet of Things).
Researchers cautioned in May 2015 that there are important areas in which the industry supporting IoT devices and services must provide adequate security.
Beecham Research's IoT Security Threat Map shows the main areas where internal and external attacks can occur and need to be addressed by the fast-growing IoT industry.
"We haven't seen any serious IoT breaches yet because IoT hasn't been deployed in consumer or enterprise applications in large quantities to appeal to attackers," said John Howes, technical director at Beecham Research. He states.
"In the past, machine-to-machine (M2M) applications with limited edge devices, single networks, and custom platforms have received a lot of attention, which is relatively easy for security experts to tolerate. Can protect applications up to "
However, according to Howes, IoT has expanded into various fields and is now using multiple devices and networks from satellites to mobile phones, and due to the increase in the number of IoT platforms and big data systems, it is diverse. Security threats are beginning to appear at various levels and aspects.
If the industry doesn't keep pace, the variety of devices, networks, platforms, and applications that support the IoT will proliferate. He is concerned that the vulnerabilities will increase and malicious attacks will increase accordingly.
Introducing the IT situation used in the F1 world, which is rarely reported, through case studies and interviews. What are Lotus, McLaren, Mercedes, Caterham Cloud, Big Data and File Sharing Strategies?
* This PDF can be downloaded free of charge even if you are not a TechTarget Japan member.
Copyright © ITmedia, Inc. All Rights Reserved.