Bluetooth Vulnerability Could Allow iOS and macOS Devices Be Tracked and Identified

A security vulnerability in the Bluetooth communication protocol has the potential to allow malicious actors to track and identify devices from Apple and Microsoft, according to new research from Boston University that was highlighted by ZDNet.

Apple devices including Macs, iPhones, iPads, and the Apple Watch are impacted, as are Microsoft tablets and laptops. Android devices are not affected.


As outlined in the research paper [PDF], Bluetooth devices use public channels to announce their presence to other devices.

To prevent tracking, most devices broadcast a randomized address that periodically changes rather than a Media Access Control (MAC) address, but the researchers have found that it is possible to extract identifying tokens that allow a device to be tracked even when this randomized address changes by exploiting the address-carryover algorithm.
We present an online algorithm called the address-carryover algorithm, which exploits the fact that identifying tokens and the random address do not change in sync, to continuously track a device despite implementing anonymization measures. To our knowledge, this approach affects all Windows 10, iOS, and macOS devices.

The algorithm does not require message decryption or breaking Bluetooth security in any way, as it is based entirely on public, unencrypted advertising traffic.
The tracking method explained in the research paper has the potential to allow for an identity-exposing attack that allows for "permanent, non-continuous tracking," plus an iOS side-channel that "allows insights into user activity."
iOS or macOS devices have two identifying tokens (nearby, handoff) which change in different intervals. In many cases, the values of the identifying tokens change in sync with the address. However, in some cases the token change does not happen in the same moment, which allows the carry-over algorithm to identify the next random address.
Android devices do not use the same advertising approach as Microsoft and Apple, and are immune to the data tracking methods used by the researchers.

It's not clear if the method described has been used by any bad actors for the purpose of tracking Apple devices using Bluetooth, but it would be undetectable as it does not require breaking Bluetooth security. The research paper contains several recommendations on how to mitigate the tracking vulnerability, and Apple is often quick to patch any security issues that come up, so we could see a fix for this problem in the near future.


This article, "Bluetooth Vulnerability Could Allow iOS and macOS Devices Be Tracked and Identified" first appeared on MacRumors.com

Discuss this article in our forums

After Winning $11 Million From Samsung, Rembrandt Sues Apple Over Same Bluetooth-Related Patents

Pennsylvania-based entity Rembrandt Wireless Technologies has filed a lawsuit against Apple today in the U.S. district court for Eastern Texas, accusing the iPhone maker of infringing on two of its Bluetooth-related patents.


In its complaint, obtained by MacRumors, Rembrandt alleges that all Apple products that support Bluetooth 2.0 or newer with Enhanced Data Rate, including the iPhone 3GS and newer, all iPad and Apple Watch models, several Mac models, HomePod, and others, infringe on U.S. Patent Nos. 8,457,228 and 8,023,580.

Enhanced Data Rate, often shortened to EDR, is a technology that allows for faster Bluetooth data transmission speeds.

The asserted patents describe wireless communication techniques that appear to be related to Bluetooth with EDR, so the alleged infringement could extend to virtually any Bluetooth-enabled device. The same Eastern Texas court ordered Samsung to pay $11 million to Rembrandt last year over the same two patents.

Rembrandt is not the original assignee of the patents, which both expired on December 4, 2018, according to its complaint. The entity says it is still entitled to damages for infringement that occurred prior to the expiration of the patents.

Rembrandt is seeking an award of damages stemming from Apple's infringement in an amount to be proven at trial. In the Samsung case, a jury calculated damages based on a royalty rate of approximately five-and-a-half cents per infringing device. Rembrandt has requested a jury trial against Apple as well.

The case has been assigned to U.S. District Judge Rodney Gilstrap, who also presided over the Samsung trial.

Rembrandt Wireless Technologies vs Apple Inc by MacRumors on Scribd on Scribd




This article, "After Winning $11 Million From Samsung, Rembrandt Sues Apple Over Same Bluetooth-Related Patents" first appeared on MacRumors.com

Discuss this article in our forums

Bluetooth Security Vulnerability Discovered, but Apple’s Fix is Already in Place

A newly discovered Bluetooth vulnerability that was published this week by Intel has the potential to allow a nearby hacker to gain unauthorized access to a device, intercepting traffic and sending forged pairing messages between two vulnerable Bluetooth devices.

The vulnerability affects Bluetooth implementations and operating system drivers of Apple, Broadcom, Intel, and Qualcomm.

From Intel's explanation:
A vulnerability in Bluetooth(R) pairing potentially allows an attacker with physical proximity (within 30 meters) to gain unauthorized access via an adjacent network, intercept traffic and send forged pairing messages between two vulnerable Bluetooth(R) devices. This may result in information disclosure, elevation of privilege and/or denial of service.
As BleepingComputer explains, Bluetooth-capable devices are not sufficiently validating encryption parameters in "secure" Bluetooth connections, leading to a weak pairing that can be exploited by an attacker to obtain data sent between two devices.

According to the Bluetooth Special Interest Group (SIG) it's not likely many users were impacted by the vulnerability.
For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure. The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful.
Both Bluetooth and Bluetooth LE are affected. Apple has already introduced a fix for the bug on its devices (in macOS High Sierra 10.13.5/10.13.6, iOS 11.4, tvOS 11.4, and watchOS 4.3.1), so iOS and Mac users do not need to worry. Intel, Broadcom, and Qualcomm have also introduced fixes, while Microsoft says its devices are not affected.


Discuss this article in our forums

How to Enable the Optimal Audio Codec for Your Bluetooth Headphones in macOS

How good your digital music sounds often comes down to which file format it's encoded in. Be that as it may, every Mac audio setup is only as strong as it's weakest link, and if your Bluetooth connection isn't up to scratch, even the best BT headphones will fail to deliver a decent wireless listening experience.

By design, all Bluetooth devices support the low-power SBC audio compression codec as standard. Fortunately, modern Macs also support AAC (Apple's preferred iTunes codec) and aptX, which Android devices often use. These two codecs offer higher quality audio and generally lower latency than SBC, which is why most third-party wireless headphones on the market support one or the other, and sometimes both.


Yet for whatever reason, despite their AAC/aptX support, some headphones fall back to the bog-standard SBC codec when connected to a Mac. This can lead to a particularly underwhelming audio experience, not to mention latency-related sync issues, which will be a distinct concern if you use your headphones while gaming or watching movies.

Thankfully, it's possible to force macOS to connect to your headphones using one of the two superior codecs. In this article, we'll show you how to do so using Apple's Bluetooth Explorer utility. (And if you're comfortable opening a Terminal window, we've included a couple of commands at the end that do the same thing.)


But first, it's worth checking which codecs your brand of headphones actually supports: Look for codec logos on the box, and make sure to check for references to codecs in the manual and any accompanying/online spec sheets.

Once you've established that your headphones support aptX and/or AAC, you'll want to identify which codec is being activated when you connect the headphones to your Mac. Follow these steps to find out.

How to Identify Which Bluetooth Codec is Active

  1. Establish a Bluetooth connection between your Mac and headphones in the normal manner.
  2. Play some audio on your Mac so that it's streaming to the headphones.
  3. Now hold down the Option (Alt) key and click on the Bluetooth symbol in the menu bar. (If you don't see it there, you need to check Show Bluetooth in menu bar in System Preferences -> Bluetooth.)
  4. Hover your mouse cursor over the headphones in the connection list. You should see the headphones' Active Codec shown in grey.
If your headphones are using AAC or aptX, you don't need to do anything. Without going into the technical details, both standards provide relatively stable wireless connections and – as far as Bluetooth goes – comparably decent sound quality. However, if the codec shown is SBC, you'll probably want to change it. Here's how.

How to Force-Enable aptX and AAC Codecs in macOS


  1. Open a web browser, navigate to Apple's developer downloads page, and download Additional Tools for Xcode 9 [Direct Link] which contains Apple's Bluetooth Explorer utility. Note that to access the page you'll need to register for a free Apple developer account if you don't already have one. Alternatively, use Google to find the Bluetooth Explorer utility hosted elsewhere and skip to step 5, but if you're not downloading from Apple, be sure to screen the file for malware.

  2. Once downloaded, double-click the Additional Tools dmg file to mount it on your desktop.
  3. Open the Additional Tools drive and navigate to the Hardware folder.
  4. Open your Mac's Applications folder in another Finder window or tab.

  5. Drag Bluetooth Explorer into your Mac's Applications folder and launch the app from there.
  6. From the Bluetooth Explorer menu bar, select Tools -> Audio Options.
  7. In the Codecs section, tick the checkboxes alongside Enable AAC and/or Force use of aptX (depending on your issue). Make sure Disable AAC and Disable aptX are left unchecked.

  8. Click Close to finish.
  9. Restart your Mac, or reset the Bluetooth module.
When your Mac reboots, you can confirm that the codec change has been applied by following the first series of steps in this article.

Terminal commands for enabling AAC and aptX Codecs


To enable aptX, input the following command, press Enter, and type your user password if prompted:
sudo defaults write bluetoothaudiod "Enable AptX codec" -bool true

Alternatively, to enable AAC, input the following and press Enter:
sudo defaults write bluetoothaudiod "Enable AAC codec" -bool true

To disable either codec via Terminal, simply replace -bool true with -bool false at the end of the command.

Related Roundup: macOS High Sierra

Discuss this article in our forums

How to Reset Your Mac’s Bluetooth Module to Fix Connection Issues

Bluetooth is what your Mac uses to connect to wireless devices like keyboards, mice, trackpads, speakers, and other peripherals. Generally, it's a reliable technology. At some point however, the chances are you'll run into difficulty establishing a Bluetooth connection with one or more of your devices.

Most problems can be fixed by unpairing and repairing the Bluetooth device, changing its batteries, rebooting your Mac, or performing an SMC reset. But if none of these methods work, you can always try resetting your Mac's Bluetooth module. Here's how to do it in macOS using the hidden Bluetooth Debug menu.

How to Reset Your Mac's Bluetooth Module


Before proceeding, bear in mind that if your setup relies exclusively on Bluetooth for communicating with your keyboard and mouse, then you're going to temporarily lose connection to them using the following methods, so you might want to have a backup wired input device option just in case.
  1. Holding the Shift + Option (Alt) keys on your Mac's keyboard, click the Bluetooth symbol in the top-right corner of the macOS menu bar. (If you don't see it there, you need to check Show Bluetooth in menu bar in System Preferences -> Bluetooth.)

  2. Locate the revealed Debug submenu and hover your mouse cursor over it.
  3. Click Reset the Bluetooth module.

  4. Now, restart your Mac.
You'll notice a couple of other potentially useful options in the Debug submenu. Factory reset all connected Apple devices does exactly what it says – forces any Apple-branded Bluetooth accessories back to the default settings they came with out of the box. It's a reliable fallback option if you've tried everything else to fix a connection issue, including resetting the Bluetooth module.

Lastly, the Remove all devices option might prove useful if you're moving your Bluetooth mouse and keyboard to another Mac, for example. However, you can also remove devices on an individual basis from the macOS menu bar, as long as you hold down Shift + Option (Alt) before you click the Bluetooth symbol.


Removing devices in this manner means you're not also banishing a whole bunch of other established Bluetooth connections like speakers and so on that you might want to keep.

Related Roundup: macOS High Sierra

Discuss this article in our forums

EFF Says iOS 11’s Wi-Fi and Bluetooth Toggles in Control Center Are Misleading and Compromise Security

Apple recently confirmed that Wi-Fi and Bluetooth are not fully disabled when toggled off in Control Center on iOS 11, and the change has generated some fresh criticism from a prominent non-profit digital rights group.


For background, when Wi-Fi and Bluetooth are toggled off, an iPhone or iPad on iOS 11 merely disconnects from a Wi-Fi network and Bluetooth accessories. The actual Wi-Fi and Bluetooth radios in the device remain activated.

Moreover, Wi-Fi and Bluetooth automatically reenable at 5:00 a.m. local time each day, or if the device is restarted.

iOS 11 works this way so that Wi-Fi and Bluetooth continue to be available for AirDrop, AirPlay, Apple Pencil, Apple Watch, Location Services, and Continuity features like Handoff and Instant Hotspot.


As a result of the change, the Electronic Frontier Foundation believes that iOS 11 compromises users' security. In a critical article, the EFF said the toggles are "misleading" and "bad for user security."
When a phone is designed to behave in a way other than what the UI suggests, it results in both security and privacy problems. A user has no visual or textual clues to understand the device's behavior, which can result in a loss of trust in operating system designers to faithfully communicate what’s going on. Since users rely on the operating system as the bedrock for most security and privacy decisions, no matter what app or connected device they may be using, this trust is fundamental.
The EFF said the "loophole in connectivity" can potentially leave users open to new attacks, and it linked to a white paper that unveils apparent zero day vulnerabilities and security flaws in modern Bluetooth stacks.

The article added that, at a bare minimum, Apple should keep the Control Center toggles off until the user flips them back on, rather than overriding the user's choice at 5:00 a.m. local time the next morning.

Overall, the EFF's arguments are generally the same as those shared by iOS 11 users who are unhappy with the change. The toggles still behave the same in the iOS 11.1 beta, however, so there's no indication Apple will reverse course.

iOS 11 users can still completely disable Wi-Fi and Bluetooth for all networks and devices by toggling them off in the Settings app. A device can also be placed in Airplane Mode with Wi-Fi and Bluetooth disabled.

In a support document, Apple said users should try to keep Wi-Fi and Bluetooth turned on for the best experience on an iOS device.


Discuss this article in our forums

Bluetooth and Wi-Fi Aren’t Fully Disabled When Toggled Off in Control Center on iOS 11

Apple has confirmed that Bluetooth and Wi-Fi are not fully disabled when toggled off in Control Center on iOS 11.


Even when toggled off in Control Center on an iPhone, iPad, or iPod touch running iOS 11 and later, a new support document says Bluetooth and Wi-Fi will continue to be available for AirDrop, AirPlay, Apple Pencil, Apple Watch, Location Services, and Continuity features like Handoff and Instant Hotspot.

Toggling off Bluetooth or Wi-Fi in Control Center only disconnects accessories now, rather than disabling connectivity entirely.

If Bluetooth is turned off, the iOS device can't be connected to any Bluetooth accessories until one of these conditions is met:

  • You turn on Bluetooth in Control Center.
  • You connect to a Bluetooth accessory in Settings > Bluetooth.
  • It's 5 a.m. local time.
  • You restart your device.

    While Wi-Fi is disabled, auto-join for any nearby Wi-Fi networks will also be disabled until one of these conditions is met:

  • You turn on Wi-Fi in Control Center.
  • You connect to a Wi-Fi network in Settings > Wi-Fi.
  • You walk or drive to a new location.
  • It's 5 a.m. local time.
  • You restart your device.

    Apple made this change in the iOS 11 beta, and it gained more attention after the software was publicly released yesterday.

    iOS 11 users can still completely disable Wi-Fi and Bluetooth for all networks and devices by toggling them off in the Settings app.

    Apple says users should try to keep Wi-Fi and Bluetooth turned on for the best experience on an iOS device.

    (Thanks, FlunkedFlank!)

    Related Roundup: iOS 11
    Tags: Control Center, Bluetooth

    Discuss this article in our forums