We reverse engineer several message types of Apple’s Bluetooth Low Energy (BLE) Continuity protocol, and show that they can be used for tracking, operating system fingerprinting, and behaviorally profiling users. In particular, we identify and reverse engineer seven distinct message types, most of which are sent in response to a particular user interaction with their iOS or macOS device. Through a series of rigorous tests in a radio-frequency sterile environment, we i) determine what actions are necessary to stimulate a device to transmit these messages, ii) deduce the meanings of most fields within each message type, and iii) ascertain how operating system version updates have introduced and affected each message type. Together, this information allows an adversary within BLE transmission range to determine what actions a user is making on their device, infer what operating system version they are using, and even track users despite the use of randomized BD_ADDR. Finally, we introduce, demonstrate, and publicly release the first-ever Wireshark dissector for displaying the Continuity message types we and other security researchers have reverse engineered.
The FuriousMAC research group at the US Naval Academy was established in 2015 to investigate computer security and privacy topics. The group consists of current and former cyber operations and computer science faculty, as well as undergraduate and recently-graduated student researchers. FuriousMAC is especially interested in wireless network identifiers and how they can be leveraged to track users, as well as in evaluating techniques designed to prevent tracking and protect users’ privacy. FuriousMAC’s research has been published in numerous highly competitive security and privacy venues.