[csdvrx]

The randomization doesn't matter: you can very easily link the addresses if you have a few datapoints, even if it's just the time you observed the addresses: the basic method is discussed in https://inria.hal.science/hal-03045555/document

See https://inria.hal.science/hal-02394629v1 for the theoretical bases then hop to https://samteplov.com/uploads/shmoocon20/slides.pdf for an example applying to Apple devices

Those who said the randomization and other techniques were sufficient were wrong: https://petsymposium.org/popets/2020/popets-2020-0003.pdf will show you how they changed their mind :)

It's not just apple: google nearby has also been reversed: https://publications.cispa.saarland/2748/ and https://www.ndss-symposium.org/wp-content/uploads/2019/02/nd... talks about attacks, but there's no need for that: just find identifiers that let you link the addresses

Even if you don't have any identifiers, the Bluetooth address randomization happens only about every 15 minutes: the manufacturer specific data in the public advertisement (or even the frequency and the length of these advertisements) during these 15 minutes periods can be used for linking the randomized addresses

[lxgr]

That attack requires continuously monitoring a given device or area though, right?

In other words, you could possibly track a given device through an area with enough sensors, e.g. a store, but not across visits.

[csdvrx]

> That attack requires continuously monitoring a given device or area though, right?

The "randomization" seems to be a pseudo-randomization: with the seed and the timestamp, you should be able to deduce the future "randomized" addresses.

[lxgr]

Not with a cryptographically secure pseudorandom number generator, and constructing one doesn't seem hard to do, given that LE devices will need to support AES anyway.