Bluetooth flaw could leave iPhones, Macs and more susceptible to tracking

How to download iOS 13 developer beta 1 to your iPhone or iPad
How to download iOS 13 developer beta 1 to your iPhone or iPad (Image credit: iMore)

What you need to know

  • A new Bluetooth flaw could leave you open for third-party tracking.
  • The issue is affecting iPhones, iPad, Macs, Apple Watches, Windows 10 devices and Fitbit devices.
  • The flaw can track the random MAC address Bluetooth uses by guessing the immidiete next address and keep tracking the device.
  • A simple solution users can use is turning off and on the Bluetooth on their devices and it'll randomize the address again.

There's a new security to worry about that is affecting iPhones, iPads, Macs, Windows 10 devices, and Fitbit devices. The new Bluetooth flaw discovered by researchers at Boston University leaves devices open for third-party tracking.

Researchers from Boston University (BU) have discovered a flaw in the Bluetooth communication protocol that could expose most devices to third-party tracking and leak identifiable data.

Here's how the flaw works:

The vulnerability allows an attacker to passively track a device by exploiting a flaw in the way Bluetooth Low Energy (BLE) is implemented to extract identifying tokens like the device type or other identifiable data from a manufacturer.The vulnerability discovered by BU researchers exploits this secondary random MAC address to successfully track a device. The researchers said the "identifying tokens" present in advertising messages are also unique to a device and remain static for long enough to be used as secondary identifiers besides the MAC address.

Normally, a Bluetooth use random MAC addresses to track a device, but the flaw is able to pinpoint the address and the track and possible even lift information off a device.

Apple not any other company has commented on the issue. It's unclear if they can patch the flaw with an over the air update. A simple solution you can use right now is turning off and on your Bluetooth, which will randomize the address and change the payload, eliminating the vulnerability.

The entire Boston University paper is worth reading up on.

Danny Zepeda