8

Companies, governments, etc. can track Bluetooth and WiFi network scans passively by looking at a same MAC address over space and time (Bluetooth/WiFi Identity tracking in public spaces - How to discover?). Starting in Android 8.0:

Android devices use random MAC addresses when probing for new networks while not currently associated to a network.
In Android 9, a developer option can be enabled (it is disabled by default) to cause the device to use a randomized MAC address when connecting to a Wi-Fi network. A different randomized MAC address is used per SSID.
MAC randomization prevents listeners from using MAC addresses to build a history of device activity, thus increasing user privacy.

Can something similar be implemented for Bluetooth MAC addresses? Is it implemented at start-up or do these addresses rotate periodically?

raphael
  • 197
  • 1
  • 2
  • 8

2 Answers2

6

For bluetooth low energy (BLE), this site mostly explains the problem: https://blog.bluetooth.com/bluetooth-technology-protecting-your-privacy

To safeguard user privacy, manufacturers can make use of a Bluetooth Smart feature known as “LE Privacy.” This feature causes the MAC address within the advertising packets to be replaced with a random value that changes at timing intervals determined by the manufacturer. Any malicious device(s), placed at intervals along your travel route, would not be able to determine that the series of different, randomly generated MAC addresses received from your device actually relates to the same physical device. It actually looks like a series of different devices, thus, it will not be possible to track you using the advertised MAC address.

At stack overflow this might be interesting: https://stackoverflow.com/questions/23471364/private-vs-public-addresses-in-bluetooth-low-energy-on-android

To my knowledge all current iPhones implements this. And also many Android (new than 8.0) devices.

And yes, this is only 24 bit of randomness. This can be assumed to be enough. Since your device changed it MAC regularly, a sniffer has a change of 1 / 16.777.216 to guess what is you next MAC.
This (24 bit) is not enough for encryption, but this is not the problem to solve here.

For more information you can also look into the bluetooth core spec section 5.4.5: https://www.bluetooth.com/specifications/bluetooth-core-specification

Also note that a bonded device is capable to resolving the random MAC to the permanent (public) MAC.

raphael
  • 197
  • 1
  • 2
  • 8
maze
  • 291
  • 1
  • 8
1

This is already implemented in Bluetooth Low Energy (BLE) actually. Everytime the transmitter is restarted on Android, the MAC will be randomized for its last 3 bytes.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • That's only 24 bits of randomness. I doubt its purpose is for privacy. – forest Dec 28 '18 at 02:01
  • @forest which is the same as the example OP mentioned? – Lucas Kauffman Dec 28 '18 at 02:15
  • Does "restarting the transmitter" mean restarting the phone, or is this for every probing scan? Could you link to some recommended documentation? The docs I linked to did not mention this – raphael Dec 28 '18 at 15:06