Bluetooth low energy (LE) devices have been widely used in the Internet of Things (IoT) and wireless personal area networks (WPAN). However, attackers may compromise user privacy by tracking the addresses of the LE device. The resolvable private address (RPA) mechanism provides address privacy protection for the LE device. Similar to Zhang and Lin’s work in CCS 2022, we investigate the privacy of the RPA mechanism in this paper. Our contributions are threefold. First, we discover that the RPA mechanism has a privacy weakness. The attacker can track the targeted device by exploiting the runs of the RPA mechanism when he intercepts the targeted device’s obsolete RPA value. Second, we propose an improved RPA mechanism to overcome the privacy weakness in the RPA mechanism. The improved RPA mechanism leads to a small amount of extra overheads without requiring modification to the basic cryptographic tools used in the standard specification. Third, we formalize a privacy model to capture the address privacy of the RPA mechanisms. Our improved RPA mechanism provides enhanced privacy guarantees to Bluetooth LE devices in wireless personal applications.
Read full abstract