5. Privacy

Nearly every device that uses a network interface controller to communicate with other devices is using an address by which it is uniquely identified. This is common among the IEEE 802 protocols and usually it is called a Medium Access Control (MAC) address. In the Bluetooth standard, this address is called the Bluetooth Device Address, and it is either burned in the device or stored in firmware. To obtain a globally unique Bluetooth Device Address (or more accurately, a block of addresses), manufacturers would have to register it with the IEEE Registration Authority. There is also the option of using an unregistered Bluetooth Device Address and the specification dictates how these types of addresses would be distinguished.

Since this address is unique, it can be used to identify the device and as a result the person that owns it. Most consumer electronics that use the Bluetooth protocol are designed to be carried by the user and often they are personal devices, and this poses the risk of tracking the physical location of the user. This kind of exploit has been addressed by the Bluetooth Protocol (among others). For compating this weakness, a device will change frequently its advertised address, while providing a mechanism for resolution so that it can be still recognized by trusted peer devices.

5.1. How privacy works in BLE

5.1.1. Device address

Each BLE device is identified by its device address. There are two kinds of device addresses, public device addresses and random device addresses. Both addresses are 48 bits in length.

  • A public device address is administered by the IEEE and it contains two parts, the 24-bit Organizationally Unique Identifier (OUI), which is different for each company, and a 24-bit unique number assigned by the company to each of its products.

  • Random device addresses are distinguished in two types, static and private. Both address types enable a device to hide its identity. In the case of a static address, the device initializes its address to a value that cannot change while it is still powered, but could change after a power-cycle. Most of the bits of a static address are random, with the exception of the two most significant bits which are set to 1.

    _images/static_addr_format.png

    Figure 25 Format of a static random address

    Private addresses can in turn be of two types, resolvable and non-resolvable addresses. A non-resolvable private address always hides the real address of the device. It will have its two most significant bits assigned as 0, and the remaining part can be random, with the exception of being all ones or all zeroes. A non-resolvable address can change any time, but there is no mechanism for a non-trusted device to assess that the new address belongs to the same device.

    _images/non_resolv_addr_format.png

    Figure 26 Format of a non-resolvable private address

    Resolvable private addresses provide all the privacy benefits of a random address, but in addition they provide a mechanism by which a peer device could resolve it to the device’s real address. This real address could be either a public address or a static random address, and in the context of address resolution it is called an Identity Address. You can see the format of a resolvable private address in the figure below.

    _images/resolv_addr_format.png

    Figure 27 Format of a resolvable private address

5.1.2. Random address resolution

There are two parts in the resolvable private address, a random part (prand) and a hash. The prand must be equal to 10 (in little-endian bit ordering) at the most significant bits and the rest can be random with the exception of being all ones or zeroes. For resolving its address, the device must generate a key called an Identity Resolution Key (IRK), which will later distribute to trusted devices during the pairing procedure. Using this key and the prand as inputs to a hashing function, the hash is produced as \(\mathrm{hash} = ah(\mathrm{IRK}, \mathrm{prand})\), where \(ah\) is the hashing function. Then the prand and hash are concatenated to generate the random address as \(\mathrm{randomAddress} = \mathrm{hash || prand}\).

Address resolution in a peer device is a straigtforward process. The peer device would have received the IRK sometime in the past during the pairing procedure. Upon reception of the resolvable random address, it splits it into two parts, the prand and the hash. It then computes locally the hash using the stored IRK and prand, and if the hash values match, then the address is resolved. If a device has more than one stored IRK, the device repeats the above procedure for each stored IRK to determine if the received resolvable private address is associated with a stored IRK, until either address resolution is successful for one of the IRKs or all have been tried.

5.1.3. White List

The set of devices that the Link Layer uses for device filtering is called the White List. A White List contains a set of White List Records used for Link Layer device filtering. A White List record contains both the device address and the device address type (public or random). The White List is configured by the Host and is used by the Link Layer to filter advertisers, scanners, or initiators. This allows the Host to configure the Link Layer to act on a request without awakening the Host. This configuration is called the device filter policy.

For Link Layer privacy, a Resolving List exists which contains a set of records for local and peer IRK value pairs. These values are known as the Local IRK and the Peer IRK. The Resolving List IRK pairs are associated with the public or static device address (Identity Address). The Identity Address could be in the White List and when an address is resolved and its Identity Address is in the White List, the appropriate action as was previously set by the Host will be invoked.