Tracking and location detection through Bluetooth is one of the foremost

concerns for any user with a Bluetooth handset, and is able to give personal information
about travel, personal whereabouts, habits and can even lead to other types of attacks
including information interception and business attacks. The act of an attacker using a
Bluetooth device to connect and track another Bluetooth device is called BlueTracking.
The BlueTracking attack is mostly used for espionage and can be used for
blackmail but is less effective than a number of other Bluetooth attacks, mostly because
of the Bluetooth chipset that is used in most phones and devices. Bluetooth chips come
in three classes or types which mainly determine the range at which they are effective.
Class 1, used in many Bluetooth dongles to be used on personal computers, have a range
of about 100 meters. Because of the small form factor and portability of these types of
devices, experiments have been done and successfully have extended the range of these
devices up to 1 kilometer with special equipment, the author of [2] confirmed that he
could extend the range up to 230 meters with an average 5 dbi antenna, and up to 500
meters with a 14dbi antenna, both being soldered to the antenna contacts. This means
that it would be used as the primary attack media for such a BlueTracking attack, mainly
because it has the largest area it is able to cover. Because Bluetooth was meant to be a
relatively close distance wireless technology, the attacker, even with a class 1 Bluetooth
device, would have to be relatively close, but this topic will be covered later in this
section.
Class 2 chipsets are the chipsets that are used in most mobile phones and smaller
devices, giving the user a range for communication of approximately 10 meters [2].
Using these devices in a BlueTracking attack implies that the attacker would have to be
within a relatively close range to the victim, giving the attacker a larger likelihood of
being seen or discovered. No attempts at extending the range of class two devices could
be found in the given sources or within research.
Class 3 chipsets follow in suit from the class 1 and class 2 chipsets, and are said to
have the best range when used “well within 10 m” [3]. The same authors later estimate
the best range for class 3 devices to be up to 3 meters, giving them the least likelihood to
be victims of attack due to the attacker having to be right on the victims heals or only to
detect them while the victim were walking by at a close distance. The types of devices
that utilize the class 3 chipsets are mainly Bluetooth earpieces for wireless
communication between the ear piece and phone.
For any type of attack, using any class of Bluetooth chipset, the most common
vulnerability and allowance for attackers to exploit the device is when the victim device
is left in a discoverable mode. The first problem with leaving a device in discoverable
mode is the fact that if a phone or similar device can be found, some of its basic
Bluetooth abilities are not guarded and do not require that the user acknowledge them to
be used. For example, the address book, calendar information and business card info are
all stored in the phone’s memory as files, all with similar naming schemas among all
phones [1]. If an attacker gets within range for even a minute, the amount of time that it
takes a person to check out in the grocery store or stand in line to get a ticket or board a
train, the attacker can get their address book or calendar, two pieces of a personal nature
which may not seem like an overly bad thing for others to see, but two files that can help
the attacker plan further attacks or blackmail the owner of the victim device. A set of
phone numbers for personal contacts can very easily contain information for relatives,
coworkers and supervisors, all of which could be compared with the calendar.
Overall, this vulnerability has been mostly corrected with newer phones, newer
firmware for the phones, and an overall education being passed onto the consumer about
how to change or fix this problem. At the same time, many people who get used a single
phone or Bluetooth device and do not have the technical knowledge of how to switch it
between discoverable Bluetooth mode and non-discoverable Bluetooth mode, do not
want to switch to a newer phone or have the knowledge to upgrade the firmware [1].
This seems to be one of the most vulnerable and dangerous parts of BlueTracking.
The main issue in tracking and in leaving a device in discoverable mode is the
way Bluetooth actually works. Bluetooth is similar to other wireless networking schemas
in that it works on a server-client relationship [3]. When the client, or victim device, is
left in discoverable mode, it constantly allows for the broadcast and receipt of
broadcasted messages, which allow for it to be “seen” in what seems like an endless sea
of electromagnetic waves. When a message is received by the attacking devices and
from the victim device, the victim device provides its hardware address, commonly
referred to as its BD_ADDR, its internal clock, CLKN, and its frequency hop
synchronization, FHS [3]. If an attacker has all three of these, they have the “keys to the
castle” wherein they are able to now break any sort of encryption put on the phone by
hacking the encryption based on the hardware address. It also does not have to listen and
analyze the hop sequence that the victim device uses to avoid interference, but already
has it to use for listening in on broadcasted or sent messages.
The BD_ADDR or hardware address of a device is most important, to allow for
accessing or cracking a device, even when a victim device is not in discoverable mode
[7]. If an attacker, based on previous observation or other means, knows that a device is
within range, even if the device is not in discoverable mode, the attacker can try to
directly connect using the hardware address of the device. If the device has an access or
personal identification number (PIN) that is required to access the information on the
device, this can be found in a brute force attempt at hacking the code. Since most people
only use the common 4 digit combination for a personal identification number on
devices, this means that the brute force attack would take a maximum of 4^10 tries to
discover a personal identification number and this has been developed to be done in
parallel between a number of Bluetooth devices [7].
A number of experiments have been done to prove most of the points given in this
paper. The first, done by the author of [4] was a discovery experiment using 3 Bluetooth
devices arranged in an overlapping triangular area to attempt to discover as many other
devices in a crowded area as possible. It was conducted over a 6 month period and was
done within a university setting, one time in a university building, and second at an
exhibition stand for the CeBIT 2004 conference. This situation could be compared to a
similar situation in which an attacker goes to a conference with malicious intent, rather
than just an experimental detection. Within just the conference time period, a total of
seven days, 5294 devices were detected as people merely walked by with their phones or
other Bluetooth devices set on discoverable mode. The most frightening detail in the
report on the results is that approximately 70% of all the devices found in the conference
experiment were “Vulnerable again SNARF attacks”, SNARFing being the ability for the
attacker to steal a victims phone numbers, calendar information and transmitted packets
as defined above.
Another disturbing fact within the [4] report was the sentence “1% of users chose
their real name as [the] device name. At that point profound threats arise, because
BlueTrack traces can be linked to natural persons.” This furthers the main point of this
section, being the idea that if these people walking by the exhibition were being tracked,
rather than just recorded, one could associate their phones with times and, given enough
sensors or calculations, successfully track the persons movements, having their device
identity and real name to use for this purpose.
A second experiment, as done by the author of [3] used the open connection
ability of Bluetooth devices and a number Bluetooth nodes placed in an office building to
triangulate positions of employees within the office building, down to the area of a
specific office. Though the author comments that “Bluetooth might be a viable
technology for triangulations, but not for calculating or measuring accurate distance”, the
experiment shows the true danger of leaving a Bluetooth device in discoverable mode,
being the idea that within a given range, i.e. a 10 meter radius in the case of a class 2
Bluetooth device, a person can be located, and when more than on sensor is used, for
example 3 with over lapping radiuses of 3 meters each, a person can be even more
accurately tracked.
Though the concept may be different, this was similar to what a set of students did
in a number of Dutch train stations, specifically the Amsterdam Amstel, Utrecht Central
Station, and Amsterdam Central Station. The students in [5] set up a number of
Bluetooth laptops within the train station, and eventually boarded the train to continue
their journey and study, alike, onto Utrecht. While still in the station they began scanning
for open Bluetooth devices. Their results were quite telling of the vulnerabilities and
very real abilities for Bluetooth devices to be tracked. Over the course of their
observations, within two hours and twenty minutes, on the train and in the station, they
were able to pick up a total oh 1877 devices within the vicinity of the laptops. A
frightening detail of only 1712 of these were unique was also presented in the paper, thus
showing the audience that 165 devices could have their hardware addresses recorded and
eventually tracked. With further studies into this, 44 of those devices were actually
tracked between Amsterdam Amstel and Amsterdam Central Station, proving that
without much effort, and without a real desire to do so, the hardware addresses could be
tracked only based on how long and where they were picked up and eventually went out
of range.
In addition to the observations as to passengers that the authors made, they also
discovered that all members of the Dutch railways staff have their phones set to constant
discovery mode [5]. Though the authors may not have been able to use this and this
author can’t use it any time soon, it can be pointed out that “fare dodgers” as they called
them, could very easily go between one train station and another, using a similar
Bluetooth device as what they were, and track the movements of train conductors. This
would allow them to roughly time when the conductor would come by to check for
tickets and allow them to hide so that a ticket would not be needed.
This brings up an additional point that could be considered the worst case
scenario of this section. Currently there are viruses and worms that are available for
mobile devices, such as laptops, personal digital assistants and cell phones alike [2].
Dutch railway staff having their cell phones in discoverable mode at all times could
possibly allow for the transmission of either of these malicious programs to be transferred
the to the cell phone without the owners knowledge and, with the right coding, allow for
it to be spread to any device that it was able to successfully contact over its Bluetooth
link. Assuming that the conductors at some point all come within contact range of each
other and then must check the tickets of each and every passenger on the train, this would
mean that 1877 devices could be infected with the virus or worm all within 2 hours and
twenty minutes. This could feed a potential hacker, who decides to walk down the train
on an “innocent walk”, every persons address books, calendars, or without even coming
in contact with any of the users, could cause a denial of service. Another worst case
scenario would be newer handsets which include GPS tracking devices, could have
information sent to the hacker over mobile internet, thus tracking the user so long as they
have their GPS enabled phone and no knowledge of the mobile virus.
Tracking so far has been seen in a negative light, but there are positive uses for it.
One of which has been implemented at Aalborg Zoo in Denmark, where parents can be
issued Bluetooth tracking devices for children as they browse the zoo. Bluetooth sensor
nodes are placed at different point within the zoo and allow for text messages to be sent
to the parents’ phones when they fear they have lost their child. A message is sent to the
phone based on a triangulated position from a number of nodes [3].
The question most will ask when reading this section is “What can be done to
protect the average person from BlueTracking?” Thankfully a number of steps are
already being taken by many device manufacturers, specifically phone manufactures, to
prevent attackers from being able to track and steal data from users. The first is that most
phones, such as the Motorola Razr v3xx, now come with a default setting of being non-
discoverable, and only being discoverable when the user specifically tells the phone to
be. In addition to this safety feature, the phone has one more in which it only allows
itself to be discoverable for 3 minutes, and also requests that the user explicitly
acknowledge the connection of any unknown device with a pin pairing technique.
As safe as a pin pairing technique sounds, additional experiments have been done
in crowded malls in which the author of [1] did an experiment to see how many devices
he could connect to based on the error of users. The author sat in a mall with a device
scanning open Bluetooth connections and attempted to connect every time he found one.
The catch was that the device’s name that he was using was “pin1234”, a name that users
took to be literal and entered the pin of 1234.
Furthermore, the pin pairing technique and the algorithm to synchronize the two
pins has been found to be flawed in the ways of a brute force attack on a four digit pin
number would take just over 1 million tries, a feat that the average computer with a
Bluetooth adapter could easily accomplish in a relatively short period of time. The
author of [7] discusses the idea of Bluetooth having the problem of the pairing algorithm,
and the idea that it will be the same code entered on both ends of the connection, creating
a symmetrical link. In contrast, to defeat this vulnerability, as Wong puts it, “could be
relatively easily resolved by recourse to asymmetrical key establishment techniques at the
cost of slightly increased computation.” The algorithm could be developed in a similar
way to the authentication of WEP, in that the receiving device could send a response to a
challenge sent by the sending device.
 Suggestions have also been made to, rather than using the minimum 4 digit pin
required by most modern phones, to use 8 digits instead. This makes a brute force attack
much harder, raising the number of combinations from 4^10, or over 1 million
combinations, to 8^10 or just over 1 billion combinations. This technique is now
required by a number of companies, whose users use Bluetooth devices, including the US
Department of Defense and the National Institute of Standards and Technologies
claiming that 4 digit PINs should be used strictly in “low-risk situations” [6]

[1] Bialoglowy, Marek. "Bluetooth Security Review, Part 1." Bluetooth Security
Review, Part 2. 25 April 2005. Security Focus. 16 Sept. 2008
<http://www.securityfocus.com/infocus/1830>.
[2] Bialoglowy, Marek. "Bluetooth Security Review, Part 2." Bluetooth Security
Review, Part 2. 26 May 2005. Security Focus. 16 Sept. 2008
<http://www.securityfocus.com/infocus/1836>.
[3] Dawson, Chris. "Device Tracking on a Scattered, Bluetooth-Enabled Network."
Thesis14.pdf. May 2005. University of Bristol. 16 Sept. 2008
<http://www.cs.bris.ac.uk/teaching/resources/coms30500/exampletheses/thesis14.
pdf>.
[4] Haase, Marc, and Matthias Handy. "BlueTrack – Imperceptible Tracking of
Bluetooth Devices." Haase.pdf. University of Rostock. 16 Sept. 2008
<http://ubicomp.org/ubicomp2004/adjunct/posters/haase.pdf>.
[5] Pels, Martin, Jelmer Barhorst, Maarten Michels, Remco Hobo, and Jeffrey Barendse.
"Tracking people using Bluetooth." Bluetoothreport.pdf. 5 June 2005. Universiteit
van Amsterdam. 16 Sept. 2008
<http://homepages.alumni.os3.nl/~martin/papers/bluetoothreport.pdf>.

[6] Scarfone, Karen, and John Padgette. "Guide to Bluetooth Security (Draft)." Draft-
SP800-121.pdf. July 2008. National Institute of Standards and Technology - U.S.
Department of Commerce. 16 Sept. 2008
<http://csrc.nist.gov/publications/drafts/800-121/draft-sp800-121.pdf>.
[7] Wong, Ford-Long, and Frank Stajano. "Location Privacy in Bluetooth." 2005-
WongSta-location.pdf. 2005. University of Cambridge, Computer Laboratory. 16
Sept. 2008 <http://www.cl.cam.ac.uk/~fms27/papers/2005-wongsta-
location.pdf>.