Practical Obfuscation of BLE Physical-Layer Fingerprints on Mobile Devices

Publication: IEEE S&P 2024    TCAS

Mobile devices continuously beacon Bluetooth Low Energy (BLE) advertisement packets. This has created the threat of attackers identifying and tracking a device by sniffing its BLE signals. To mitigate this threat, MAC address randomization has been deployed at the link-layer in most BLE transmitters. However, attackers can bypass MAC address randomization using lower-level physical-layer fingerprints resulting from manufacturing imperfections of radios. In this work, we demonstrate a practical and effective method of obfuscating physical-layer hardware imperfection fingerprints. Through theoretical analysis, simulations, and field evaluations, we design and evaluate our approach to hardware imperfection obfuscation. By analyzing data from thousands of BLE devices, we demonstrate obfuscation significantly reduces the accuracy of identifying a target device. This makes an attack impractical, even if a target is continuously observed for 24 hours.

The proposed obfuscation significantly reduces the success of an optimal attacker even after prolonged observation durations.

Furthermore, we demonstrate the practicality of this defense by implementing it by only making firmware changes to commodity BLE chipsets.

Obfuscated CFO measured for packets transmitted by a commodity TI CC2640 chipset over 24 hours.

We have also designed and prototyped an integrated circuit that pseudo-randomly changes its CFO by switching in a binary-weighted set of semi-identical MIM capacitors into the tank of an LC voltage controlled oscillator.