Updated, 7/19/19, 7:35am PT: A Microsoft spokesperson responded to our request for comment with the following statement: “Microsoft has a strong commitment to security and a demonstrated track record of investigating and proactively updating impacted devices as soon as possible. We addressed this issue in the Windows 10 May Update (1903) and customers who have Windows Updates enabled are protected." This puts a timely spotlight on the problems caused by using outdated versions of Windows, like many are said to be doing right now by continuing to use the Windows 10 April 2018 Update, and other software. Apple has not responded to us, but it's possible that it too has addressed the flaw exposed by this research in macOS or iOS updates without publicly acknowledging the problem.
Original article, 7/17/19, 12:48pm PT:
Boston University researchers have discovered flaws in the Bluetooth Low Energy (BLE) implementations of Windows 10, macOS and iOS that could allow devices running those operating systems to be tracked. ZDNet reported that the researchers shared details about the flaw at the Privacy Enhancing Technologies Symposium today in an effort to raise awareness for the flaw in a nigh-ubiquitous protocol.
BLE's name suggests it was developed to make wireless connectivity less of a battery killer. That's partly true, but it was also made to solve a privacy issue resulting from how Bluetooth connections were formed. Previous versions of the protocol had devices constantly broadcast their media access control (MAC) address; this made it easy to identify and track specific devices that were actively using Bluetooth. BLE changed things up to allow devices to broadcast a "periodically changing, randomized address," as the researchers described it.
The problem stems from how Microsoft and Apple generate these ostensibly random addresses. The researchers explained in their paper that someone continuously monitoring the "advertisements" BLE uses to seek connections might be able to identify and track specific devices. The advertisements in question don't have anything to do with promoting a product. Instead, they are the messages BLE devices constantly emit "to announce their presence to other devices," as the researchers put it. (Should there be a better name for those messages in a time when people fear their privacy is constantly being compromised for someone's profit? Probably.) Those advertisements are the problem.
The researchers said they developed an "address-carryover algorithm" that "exploits the fact that identifying tokens and the random address do not change in sync" to "continuously track a device, despite implementing anonymization measures." This exploit doesn't even require any real hacking--it simply uses publicly broadcast information in ways that Microsoft and Apple didn't account for in their designs.
This exploit is thought to affect all Windows 10, macOS, and iOS devices. Researchers explained why Android isn't affected:
"We observed Android advertising addresses to change in intervals of about 15-45 minutes. However, the observed Android smartphones use a completely different advertising approach than Windows or iOS/macOS, making them immune to the address-carryover algorithm. The tested Android phones never send out manufacturer-specific data or other potentially device-identifying data in regular intervals. Instead the OS scans for advertisements of other devices when the Bluetooth settings are opened by the user. Due to the lack of active, continuous advertising, identifying tokens cannot be assembled, making the observed Android devices immune to the carry-over algorithm."
More information is available in the full paper, "Tracking Anonymized Bluetooth Devices. The researchers said they disclosed these issues to Microsoft and Apple in November 2018; it's not clear if either company has responded. Neither has publicly acknowledged the issue. We've contacted both companies and will update this article if they respond.