35 comments

[ 3.6 ms ] story [ 85.0 ms ] thread
In Houston, TX, USA, I noticed antennas placed over individual highway lanes. It turns out they track the Bluetooth signals from cars to determine traffic. They even have a message on their website saying people should be more worried about license plate tracking.

https://www.houstontranstar.org/faq/traffictech.aspx

On the OEM infotainment center in my vehicle, I can't even find a way to turn off Bluetooth.

Similarly in NSW Australia they had installed similar antannas on traffic lights/traffic light boxes. Iirc they would also track Bluetooth signals. Not sure they tracked the OEM infotainment stuff or just the drivers phone Bluetooth IDs
Can confirm that they do vehicles infotainment systems. NSW is also not the only state to have them.
I just removed the bluetooth module from my car.
Yeah, I rewrote a system for a company that did this. If it makes you feel any safer, the original codebase was an error-prone mess written by an intern.

It’s not any more, but all it did was ping for MAC addresses at both ends of the stretch. I suppose the data could prove your presence, but it’s the presence of your car really. At least with Apple the MAC gets cycled now.

ok cool, did you leave a spare key under the mat so we can turn it off?
You know what you cant turn off? TPMS. I mean you can remove them from your car, but those little guys broadcast and with the right equipment you can track cars with them.
Yes. The IDs are unique, fixed, and easy to pick up. You have to broadcast a low-frequency signal first to enable them and they'll emit a signal. There are several projects on GitHub to pick them up, and I've successfully done it.

See: https://github.com/merbanan/rtl_433

Did you do anything useful with the data? I'd love to just have a raspberry pi scanning and logging them with timestamps to archive with video.
No, but I've been collecting all this data for a while and trying to see if there's a security business to be built around this. I do a lot of "RF" projects, so this is a natural extension.
In one state I cannot mention, in Australia, there are at least 4000 of these things by the side of the road. During criminal cases its not unusual for a vehicles MAC address to be run through the database of collected data and matched to the vehicles location at a point in time. If the vehicle was also carrying correct plates then ALPR can be included. Prosecution gets to present a very pretty map with detailed timestamps.

I cannot mention the state because their presence is not disclosed publicly.

(comment deleted)
I considered building a tool to have running that would capture WiFi/Bluetooth addresses of those around in case of a burglary, but I figured most devices anonymize their addresses nowadays.
You could have use a stingray to capture their IMSI
It really annoys me that changing an IMEI is a crime in many countries. The mobile stack has tracing built in a low level, and is genuinely impossible to use anonymously.
Does it matter that you can't change the IMEI? Your IMSI identifies you anyway.
Both are used over the air during the initial attach. If you're trying to hide from (I assume predominantly) the authrities, then it's possible to see that you've switched SIM cards into the same handset.
As far as I know the way Bluetooth is implemented in many devices prevents it from working if you change the MAC address all the time.

I've experienced this reliance on MAC addresses by trying to use Bluetooth headphones in a dual boot system. Every time I switch operating systems, I need to repair. Same with phones that have been factory reset. Peripherals seem to assume that a device (MAC address) uuniquely identifies the other end of the connection (which it actually is supposed to, so fair enough). You can probably use random addresses for scanning for new devices, but for any active use of the protocol you're going to need to stick to a given address. As long as you only use one device at a time, that address can probably be randomised for each device, but that's a hard sell that strongly limits how Bluetooth can be used.

The Bluetooth classic, the variant which is typically used for audio and handsfree use cases, does not support address randomization. However, Bluetooth classic device does not necessarily need to be in discoverable mode for paired device to be able to connect. Typically they are discoverable only when they are set to some kind of pairing mode.

Bluetooth LE, which is used for wearables like smart watches etc, supports address randomization and it has mechanism for finding paired devices even though the address changes. Bluetooth LE devices must advertise for other devices to be able to connect. Many headsets nowadays use classic Bluetooth for audio streaming and handsfree but in addition they use Bluetooth LE for configuring the headset through their app. That is why the headsets are often advertising all the time.

As a side note, contact tracing apps are making our phones also to advertise. Fortunately they are using address randomization properly to ensure phones can't be tracked.

Assuming that all these headsets are bluetooth "classic", since I am yet to see a bluetooth low energy headset, how could they be tracked, anyway?

Were the headsets all in "discoverable" mode ? Are headsets announcing their MACs even when not in discoverable mode ? Or do they broadcast their MACs in plain text even during a paired&encrypted connection ?

I had a similar idea, and I suspect that address randomization isn't as big a problem as you might suspect, since many people have a paired device (i.e. headphones), and that pairing often uses classic Bluetooth, so it must have a fixed address. The burglar's car is also likely to broadcast unrandomized bluetooth if it's in the area, also.

But the real trouble with this system is that the police aren't going to do anything with this data unless there's a murder. Even if a bluetooth device were stolen and you could locate it, the police will not likely help you recover anything. And this assumes that they even understand what this pissed-off nerd is on about.

Amazon, however, could build a bluetooth sniffer or IMSI catcher into its devices and sell the resulting data to law enforcement, who could then avoid the time and expense of getting a warrant for location data. Assuming that the police care at all about property crime, this would achieve the goal.

What's his gdpr policy?
GDPR applies to organizations, he is not an organization and not doing it as a business.
He's storing private data that can geolocate people (mac address + exact geolocation + timestamp)
With that you can not identify any individual. You can try to prove that some device was at that location at the time.
Even if he stores private data GDPR would not apply to him as an individual, but other laws may apply depending on the data and the country.
Trivia: Norway is not in the EU, but they still adopted the GDPR. (A possible practical effect might be implementation differences due to that)
Reading GDPR's definition of personal data I think he is safe
Actual paper as a web page: https://www.hegnes.tech/2021/09/01/location-tracking-of-wifi...

Wow, lots of maps in there. He also recorded WiFi SSIDs and mapped which one were still on WEP, or even unencrypted (although my guess is these are public ones like in a coffee shop)

> or even unencrypted

Even unencrypted? I am biased here having run an open wifi since they were commercially avilable.

In the beginning, there was this huge concern that wifi would hurt the last mile ISP business. Many started outright forbidding guests using the connection in their terms of service. That didn't work out very well. Calling them insecure and having papers write about how to check that other people couldn't connect to work network worked much better.

My concern is that letting the commercial ISPs set the discourse around encryption, which is better suited for the endpoints than the transmission layer, set us back several years of deploying encryption everywhere. It also made for in my opinion unnecessary concerns around real world implementations of mesh networking.

Note that there are security concerns with running unencrypted wifi as compared to having a shared secret publicly available. An SSL-only world mostly mitigates this, and encrypted DNS is a piece to this story. End user systems could easily have had a no plain text-option among their firewall settings to help get this going. Language matters. Commercial interests are obvious here, the lay persons focus on transmission encryption made this transition harder, and every time someone speaks of insecure last mile transmission we are reminded of it.

(comment deleted)
Isn't the just technical parlance for following somebody on your bike? There's nothing original here.