Tracking The Identity of Devices By Their Bluetooth Signal Footprint

Even though the broadcast address has been randomized

Tracking The Identity of Devices By Their Bluetooth Signal Footprint

Even though the broadcast address has been randomized

Within BLE (Bluetooth Low Energy), there is a randomization of the address. But this randomness can sometimes be overcome through its usage of counters or from timings. In a new paper, the researchers have broken the address randomization using the Received Signal Strength Indication (RSSI) [here]:

Figure 1 [1]

The measurements of RSSI come from the advertising packets from the device and are linked to previous traces to re-identify it. This creates an RSSI fingerprint for the device. For devices which do not move, the research provides a 99% accuracy rate in correctly identifying a device.

In Figure 2, we can see that we monitor the signal strength from a device and where it may be using an address rotation to hide its identity. In this case, the address of AA:AA:AA:AA:AA has been mapped with BB:BB:BB:BB:BB:BB — due to the RSSI monitoring of advertising packets. The measurement of RSSI is in dBm, which is the signal strength in relation to 1mW for power. Overall, -3dB is a drop of one-half, and so, -3dBm is 0.5mW, -6dBm is 0.25mW, and so on. In the figure, we see that AA:…AA has an RSSI of -79dBm and -60dBm, and which is a difference of -19dBm — and where we have around six half power factors. A drop of -3dB thus is a half power drop:

https://asecuritysite.com/wireless/dbm

Figure 2: [1]

The team set up a single-receiver experiment, and also multiple receivers. From these experiments, the research team plotted the RSSI for devices and where able to define a basic RSSI fingerprint for the device (Figure 3).

Figure 3 [1]

Overall, they used the ROBERT (ROBust and privacy-presERving proximity Tracing) [2] dataset to run their experiments. Overall, ROBERT was used to perform proximity tracing around COVID-19 applications. Figure 4 outlines the data format used, and where the RSSI was mapped from transmitters to receivers and also to the distance between devices. With this, there are also scenarios matched, such as those related to indoor or outdoor measurements.

Figure 4: Data records [1,2]

Overall, a range of Machine Learning (ML) methods. This included HistGradientBoostingClassifier (HGT), RandomForestClassifier
(RF) and KNeighborsClassifier (kNN). For a range of devices (A…O), the paper outlines a strong correlation in matching the devices with a good true positive rate (Figure 5), and where Device A had a 100% success rate of classification for 44 vectors (Figure 6).

Figure 5 [1]
Figure 6: Test with the HGT algorithm [1]

The general accuracy of the ML methods varied with the RSSI, and with HGT less affected by RSSI strength (Figure 7).

Figure 7: Accuracy for ML method related to RSSI strength

Conclusions

The paper shows interesting results, and especially that the HistGradientBoostingClassifier (HGT) method seems to work best for a range of RSSI strengths from the transmitter. If you are interested in learning about dBms, try here:

That Pesky dBm!
I love wireless (wi-fi) communications. In fact, I did my PhD around the propagation of radio waves using Maxwell’s…billatnapier.medium.com

References

[1] Guillaume Gagnon, Sébastien Gambs, Mathieu Cunche. RSSI-based Fingerprinting of Bluetooth Low Energy Devices. International Conference on Security and Cryptography (SECRYPT 2023), Jul 2023, Rome, Italy.

[2] Castelluccia, C., Bielova, N., Boutet, A., Cunche, M., Lauradoux, C., Le Métayer, D., & Roca, V. (2020). ROBERT: ROBust and privacy-presERving proximity Tracing.