Personal Tracking Devices Expose Public Privacy Risk

A study by Rapid7 finds multiple vulnerabilities in Bluetooth tracking technologies, leading to possible security breaches as IoT device use continues to rise.

Bluetooth security

Small tags embedded with Bluetooth Low Energy have become increasingly popular in recent years as a way for consumers to track things such as car keys or other small items. There is only one small problem: They're also potentially a larger public privacy risk, according to new research released Oct. 25 by security firm Rapid7.

Among the trackers Rapid7 looked at is the TrackR Bravo device, which was found to have four unique vulnerabilities, including cleartext password storage (CVE-2016-6538), Tracking ID exposure (CVE-2016-6539), unauthenticated access (CVE-2016-6540) and unauthentic pairing (CVE-2016-6541) vulnerabilities.

"Originally, I became interested in conducting this research because I continually saw these devices attached to people's key chains," Deral Heiland, research lead at Rapid7, told eWEEK. "I did not have a specific result in mind when I set out to do this research; however, given the state of IoT [internet of things] security, I was curious about the extent of personal information that was being exposed, and what security implications were being created due to that exposure."

Rapid7 conducted its operational analysis of the Bluetooth tracking products by using multiple tools including Burpsuite to intercept communication between the cloud and mobile applications, Heiland said. Additionally, the Rapid7 researchers used Nordic Bluetooth Low Energy (BLE) tools on Mac and smartphones combined with the Bluefruit LE sniffer to analyze the BLE communication and pairing process and identify attributes used during operations.

A core area of weakness overall in Bluetooth is the fact that it is not encrypted, and, as such, communications potentially can be intercepted and read.

"When the devices are initially paired, they derive a long-term key using a key-exchange protocol," Heiland explained. "If you eavesdrop during this exchange, you can get in between the pairing process and can decode the communication."

Heiland added that the Bluefruit LE sniffer tools make this simple when analyzing two devices and their communication.

While Rapid7 has found issues with Bluetooth trackers, Heiland noted that the average person may not encounter abuse of these devices related to their privacy. That said, he noted someone with a higher profile—such as someone in the government, business or entertainment sector—or someone currently having issues such as harassment or stalkers may want to avoid the use of these devices because of the elevated risk of abuse.

TrackR said no user data has been compromised, as far as the company is aware.

"As we work in a fast-moving and exciting market, we try to constantly improve our product and satisfy our customers," Chris Herbert, CEO of TrackR, wrote in an email to eWEEK. "Like other IoT companies large and small, we also have to keep pace with the ever-evolving threats which are redefining IT security.

"We were aware of all but one of these issues and have resolutions in place for all the issues identified," Herbert added.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.