Device discovery and tracing in the Bluetooth Low Energy domain

Bluetooth Low Energy (BLE) is a pervasive wireless technology all around us today. It is included in most commercial consumer electronic devices manufactured in the last years, and billions of BLE-enabled devices are produced every year, mostly wearable or portable ones like smartphones, smartwatches, and smartbands. The success of BLE as a cornerstone in the Internet of Things (IoT) and consumer electronics is both an advantage, enabling short range, low cost, and low power consumption wireless communications, and a disadvantage, from a security and privacy standpoint. BLE exposes packets that enable a potential attacker to detect, enquire and fingerprint actual devices despite manufacturers’ attempts to avoid detection and tracking. Medium Access Control (MAC) address randomization was introduced in the BLE standard to solve some of these issues. In this paper we discuss how to detect and fingerprint BLE devices, basing our analysis and data collection on interactions allowed by the standard. In our study, we propose the Bluetooth Low Energy Nodes Detect, Enquire, (and) Recognition (BLENDER) framework for enumerating and fingerprinting BLE devices for crowd monitoring and recognition purposes, based on four different strategies used to analyze BLE-enabled devices. We will show that it is possible to associate BLE randomized MAC addresses to actual devices. We will then describe a proof of concept for large-scale data collection. In addition, to determine the spots where the stations could be optimally positioned, we created a synthetic dataset based on mobility models and then we emulated the BLENDER approach. The latter allowed training Machine Learning models to predict the expected number of devices appearing at any particular position, day, and hour.