Researchers at the University of California San Diego have shown for the first time that Bluetooth signals each have an individual, trackable, fingerprint.

In a paper presented at the IEEE Security and Privacy Conference last month, the researchers wrote that Bluetooth signals can also be tracked, given the right tools.

However, there are technological and expertise hurdles that a miscreant would have to clear today to track a person through the Bluetooth signals in their devices, they wrote.

"By their nature, BLE [Bluetooth Low Energy] wireless tracking beacons have the potential to introduce significant privacy risks," the researchers wrote. "For example, an adversary might stalk a user by placing BLE receivers near locations they might visit and then record the presence of the user's beacons."

The researchers – who hail from the school's departments of Computer Science and Engineering and Electrical and Computer Engineering – pointed to the applications governments added to Apple iOS and Android devices used in the COVID-19 pandemic that send out constant Bluetooth signals – or beacons – for contact-tracing efforts.

Other examples include the BLE beaconing that Microsoft and Apple added to their operating systems for such features as tracking lost devices, connecting smartphones to such wireless devices like wireless earphones or speakers, and enabling users to switch more seamlessly between devices.

"Therefore, BLE beacons are now common on many mobile platforms, including: phones, laptops, and smartwatches," they wrote.

According to the paper, these devices constantly transmit signals at a rate of around 500 beacon signals per minute. To address issues of security and privacy, many BLE proximity applications use such measures as cryptographically anonymizing and periodically rotating the identity of a mobile device in their beacons. They will routinely re-encrypt the MAC address of the device, while the COVID-19 contact-tracingtheregister.com applications rotate identifiers so receivers can't link beacons from the same device.

That said, a person could get past these barriers by fingerprinting the device at a lower layer, according to the researchers. Previous studies have shown that wireless transmitters, in Wi-Fi for instance, have small imperfections accidentally introduced during manufacturing that are unique to each device.

The UC San Diego scientists found that similar imperfections in Bluetooth transmitters create distortions that can be used to create a similar unique fingerprint. The fingerprints can be used to track devices and, thus, their users.

That said, it's not an easy process.

An attacker would first need to isolate the target to capture the fingerprint in the wireless transmissions and find the unique physical-layer features of the device's Bluetooth transmitter. After that, they would need to have a receiver in a place the device might be and have it passively sniff for the target's Bluetooth transmissions.

"They will know when the target device is near the receiver when it captures one or more packets that matches the target's physical layer fingerprint," the researchers wrote.

"The more frequently the BLE device transmits, the more likely the attacker is to receive a transmission if a user passes by. Also, the more accurate the fingerprinting technique is, the better the attacker can differentiate the target from other nearby devices."

To do all this, the attacker needs to have a radio receiver that can record raw radio signals. The researchers warned that a hobbyist device in the $150 price range could do the job.

In addition, the researchers had to create an algorithm for the work. Wi-Fi signals have a long and known sequence called the "preamble" – but those for Bluetooth are very short.

The algorithm skips the Bluetooth preamble and instead estimates two different values in the entire signal. This is where the defects can be found and the unique fingerprint identified.

The researchers developed a fingerprinting toolkit and associated methodology they used to assess how many mobile devices could be identified in public areas like coffee shops and public hallways. One test found that 40 percent of 162 devices detected were identifiable via their unique fingerprints; in another experiment 47 percent of 647 mobile devices could be identified.

In another test, they tracked a volunteer who had an iPhone as they walked in and out of their home over an hour-long period. Simulating an attack, they were able to track the person during most of that time.

However, anyone trying to track a person via their mobile device's Bluetooth signals will run into challenges. Among them are that Bluetooth devices have varying chipsets that all have different hardware implementations, and some devices have less powerful Bluetooth transmissions than others. In addition, temperature can affect the Bluetooth fingerprint. The researchers also noted that an attacker would need a certain level of technological expertise to pull this off.

Devices "may be similar to other devices of the same make and model. Or, they may not even have certain identifying features if they are developed with low power radio architectures," they wrote.

"By evaluating the practicality of this attack in the field, particularly in busy settings such as coffee shops, we found that certain devices have unique fingerprints, and therefore are particularly vulnerable to tracking attacks. Others have common fingerprints – they will often be misidentified."

The upshot is that mobile devices can be tracked via their Bluetooth signals, and the equipment necessary isn't overly expensive. "However, an attacker's ability to track a particular target is essentially a matter of luck," the researchers wrote. ®

Science fiction is littered with fantastic visions of computing. One of the more pervasive is the idea that one day computers will run on light. After all, what’s faster than the speed of light?

But it turns out Star Trek’s glowing circuit boards might be closer to reality than you think, Ayar Labs CTO Mark Wade tells The Register. While fiber optic communications have been around for half a century, we’ve only recently started applying the technology at the board level. Despite this, Wade expects, within the next decade, optical waveguides will begin supplanting the copper traces on PCBs as shipments of optical I/O products take off.

Driving this transition are a number of factors and emerging technologies that demand ever-higher bandwidths across longer distances without sacrificing on latency or power.

QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

The previous attacks occurred in January, March, and May.

A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.

"Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."

And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty."

UK Home Secretary Priti Patel today signed an order approving the extradition of Julian Assange to America, where he faces espionage charges for sharing secret government documents.

Assange led WikiLeaks, a website that released classified files including footage of US airstrikes and military documents from the Iraq and Afghanistan war that detailed civilian casualties.

It also distributed secret files revealing the torture of detainees at Guantanamo Bay, and sensitive communications from the Democratic National Committee and Hillary Clinton's campaign manager, John Podesta, during the 2016 US presidential election. 

A group of senators wants to make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

A bill filed this week by five senators, led by Senator Elizabeth Warren (D-MA), comes in anticipation the Supreme Court's upcoming ruling that could overturn the 49-year-old Roe v. Wade ruling legalizing access to abortion for women in the US.

The worry is that if the Supreme Court strikes down Roe v. Wade – as is anticipated following the leak in May of a majority draft ruling authored by Justice Samuel Alito – such sensitive data can be used against women.

A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

Interview 2023 is shaping up to become a big year for Arm-based server chips, and a significant part of this drive will come from Nvidia, which appears steadfast in its belief in the future of Arm, even if it can't own the company.

Several system vendors are expected to push out servers next year that will use Nvidia's new Arm-based chips. These consist of the Grace Superchip, which combines two of Nvidia's Grace CPUs, and the Grace-Hopper Superchip, which brings together one Grace CPU with one Hopper GPU.

The vendors lining up servers include American companies like Dell Technologies, HPE and Supermicro, as well Lenovo in Hong Kong, Inspur in China, plus ASUS, Foxconn, Gigabyte, and Wiwynn in Taiwan are also on board. The servers will target application areas where high performance is key: AI training and inference, high-performance computing, digital twins, and cloud gaming and graphics.

The US could implement a law similar to the EU's universal charger mandate if a trio of Senate Democrats get their way.

In a letter [PDF] to Commerce secretary Gina Raimondo, two of Massachusetts' senators Ed Markey and Elizabeth Warren, along with Bernie Sanders (I-VT), say a proliferation of charging standards has created a messy situation for consumers, as well as being an environmental risk. 

"As specialized chargers become obsolete … or as consumers change the brand of phone or device that they use, their outdated chargers are usually just thrown away," the senators wrote. The three cite statistics from the European Commission, which reported in 2021 that discarded and unused chargers create more than 11,000 tons of e-waste annually.

Microsoft is extending the Defender brand with a version aimed at families and individuals.

"Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."

The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

Taiwanese chipmaker TSMC has revealed details of its much anticipated 2nm production process node – set to arrive in 2025 – which will use a nanosheet transistor architecture, as well as enhancements to its 3nm technology.

The newer generations of silicon semiconductor chips are expected to bring about increases in speed and will be more energy efficient as process nodes shrink and the tech industry continues to fight to hang onto Moore's Law.

The company is due to go into production with the 3nm node in the second half of this year.

The Register - Independent news and views for the tech community. Part of Situation Publishing

Biting the hand that feeds IT © 1998–2022