FitBits may be especially easy to exploit.
Your FitBit and other Bluetooth gadgets could be giving away your location data. Researchers from Boston University (BU) detected a vulnerability in several high-profile Bluetooth devices that could allow third-parties to determine your location and other sensitive information. In the wrong hands, that information could be used for stalking or abuse. That’s especially concerning given that basically everyone is carrying around a Bluetooth device.
The vulnerability has to do with the way Bluetooth-enabled devices pair with each other. In that relationship, one device serves as the central connection and the other plays a peripheral role. The peripheral device sends out a signal that contains a unique address — similar to an IP address — and data about the connection. Most devices produce a randomized address which automatically reconfigures periodically. That’s meant to protect users’ privacy, but the BU researchers found that, using an open-source “sniffer” algorithm, they could identify Bluetooth connections even when their addresses changed.
While the vulnerability doesn’t leak personal data, it could be used to track Bluetooth devices and their users. Android might get a pass here. The researchers say Android devices don’t appear to be vulnerable, but Windows 10 and iOS devices can be tracked. FitBit users have it the worst. According to the researchers, FitBits don’t automatically update or randomize their addresses, making them even easier to track.
As a silver lining, thwarting this security gap can be as simple as turning off your Bluetooth connection and then turning it on again — at least for Windows 10 and iOS devices. And don’t get ready to ditch your Bluetooth gadgets just yet. As BU researcher Johannes Becker points out, “There are tons of ways to track people, with or without Bluetooth.” But it’s important to be aware of the signals you’re sending out and who might have access to your sensitive information.