Hacker News new | ask | show | jobs
by minimalist 1041 days ago
Maybe someone can help me understand this. I've always shied away from smartwatches because the tracking potential. We have always known how the MAC address of wireless clients can be used to track a device and decades later, MAC randomization is being offered on major operating systems.

Why don't I hear about that as much with bluetooth devices? Surely they suffer from the same problem? If not, how do devices remember each other?
2 comments
andoma 1041 days ago
Not an expert in the field, but I have some knowledge. Bluetooth specifies different address types [1] where one of the types are Resolvable Random Private Address. This is used to avoid tracking. TLDR: The address is periodically randomized (typically every 15 min). Part of the address is a hash that lets you identify the device if you previously have bonded with the device (so you have its Identity Resolving Key)

[1] https://novelbits.io/bluetooth-address-privacy-ble/

link
abwizz 1041 days ago
bt is flaky enough as it is ;)

but yea, fwiw bt mac addresses are NOT randomized on google and apple platforms and serve as a constant identification provider for anyone that cares (e.g. retailers).

wifi macs are randomized for a few years now (settings toggle in hostapd.conf)

link
jmole 1040 days ago
BT addresses are not randomized because it would break all existing BT headphones and the pairing process.

Both Apple and Google, as far as I know, will randomize MAC for BLE on Android and iOS when possible. Ditto for Wifi MAC, but it’s usually only randomized on a per-AP basis.

But that doesn’t prevent tracking via BLE accessories (e.g. heart rate monitors, older smart watches, etc.) which may periodically broadcast with the same MAC address indefinitely.

link
abwizz 1040 days ago
blood sugar monitors are rather popular as well
link
ChrisMarshallNY 1040 days ago
Apple randomizes BT, as well[0].

[0] https://support.apple.com/guide/security/bluetooth-security-....

link
abwizz 1040 days ago
my take from this document is that it is enabled for the low-energy variant but not the normal bt (with more reach).

care to verify?

my 1st-gen se with ios 15.whatever does NOT randomize the mac address in normal bt probes

link
ChrisMarshallNY 1040 days ago
That is correct.

But all my [modern] Apple devices randomize (except my old SE, which is my low-end test). It can be a pain to track, with my software.

BLE is probably where all of Bluetooth is going, eventually.

The main issue, now, is data speed, but even classic is pretty slow, compared to other standards. I believe they are incorporating high data-rate stuff into BLE, so you can have things like pure BLE headphones.

link
abwizz 1040 days ago
so, there are cases where btle does randomize the mac address, but not when using 'normal' bluetooth things
link
ChrisMarshallNY 1039 days ago
BLE is "ad hoc," with ephemeral, one-time connections, while Classic establishes long-lasting, "commitments."

BLE is like a Gig.

Classic is more like a Career.

link