Sunday 20 June 2010

Mobile Fingerprinting

Kim Cameron has been following through with some additional musings on the issues that have emerged from the Google WiFi Geolocation database debate and gives us a personal example from 2005 that shows how Bluetooth isn’t necessarily all that safe and how a simple behaviour (discoverability) can turn into a powerful tracking technology. It’s notable that even in 2005, when the idea of building a global database of identifiers was just a pipe dream, the problems were fairly clear as far as Kim was concerned.

I’d made a point in my earlier post that because these issues had been highlighted fairly early on in the commercial proliferation of Bluetooth that the manufacturers had pretty much sorted things out by adopting much safer defaults and implementing features like timeouts for discoverability. Newer devices are, by and large, better at keeping themselves quiet. Out of curiosity I just enabled Bluetooth on my iPhone and Laptop and scanned for nearby devices and found a total of 4 – my own two obviously showed up for each other but apparently someone called Danielle* has a phone nearby and there’s some other Bluetooth device that I could probably identify if I was to try to connect to it but I’m so not going there now. So even though there have been improvements in the field there are still some problems there. As an example of how this can be done intelligently – the iPhone’s Bluetooth is only “discoverable” when you have the Bluetooth menu open, it’s disabled once you close that menu.

There’s also the entire field of malicious interception of “secured” Bluetooth comms. It’s a sad fact that many devices use very poor pairing techniques and compromising the integrity of many supposedly secure Bluetooth connections isn’t particularly hard. From a casual users point of view that still serves a useful purpose – an entity like Google could never launch a global project to harvest Bluetooth ID’s using those techniques. That doesn’t stop some random attacker targeting individuals or small groups but at least it prevents large scale abuse, as I pointed out in my earlier post. As a healthy reminder of why my casual remark that the Bluetooth folks had made some good decisions shouldn’t be taken as a statement that Bluetooth is safe in anyway here’s a link to a presentation at this years Shmoocon about Bluetooth Keyboards which is really disturbing, especially (but not only) if you are still using XP.


*Name’s have been changed to protect those who devices are poorly configured. :)

No comments: