Wednesday, September 11, 2013

Is your iPhone broadcasting your name via Bluetooth?

Very likely!

I developed BlueScan, an Android Bluetooth scanner, as a research project to better understand Bluetooth usage in the wild. The app scans for Bluetooth devices (Low Energy and Classic) and stores the results in a database on the phone which can then be downloaded for analysis.  As a mobile app, it allows me to identify nearby Bluetooth signals as I'm driving around town - essentially war driving for Bluetooth except that it's scanning passively - it just listens for broadcasts but does not initiate any connections.

Initial Observations: 

After a couple of days of on-again off-again scanning as I tested the app, I had a look at the data I had collected. The most obvious observation based a small dataset of 152 devices was that one quarter of the Apple users (mostly iPhones, iPads and Macbooks) were broadcasting their full names via Bluetooth

Here is the breakdown based on the 152 devices in the dataset:

  • 36 of the 152 devices were Apple devices
  • 9 of the Apple devices included both first name and last name identifier, as in "John Abraham's iPhone"
  • 19 of the Apple devices had just a first name identifier such as "John's MacBook Pro"
  • Only 8 of the 36 Apple devices were broadcasting but not including some sort of personal or device naming in their broadcasts

In infosec, we'd characterize this as unnecessary information disclosure. While information disclosure by itself is not always a high risk security issue in the enterprise information security realm, it's best practice to avoid doing so. In the consumer realm this is a privacy issue and you never how or when this kind of information can be used or aggregated with some other data. Given the number of Bluetooth scanners in public places thanks to the adoption of Bluetooth Low Energy and the boost from iBeacon, Apple users should be aware of this. 

1 comment:

  1. Hi John

    Interesting article. And depressing. As usual, developers value user convenience over security, until the brown stuff hits the whirly thing. Not sure what exactly should be my advice to colleagues, though, apart from leaving Bluetooth off whenever you're not needing it. Where does the identifier get configured? How does one edit it to show less information?