Researchers from Boston University (BU) have apparent a flaw in the Bluetooth advice agreement that could expose most accessories to third-party tracking and leak identifiable data.

According to the analysis paper — Tracking Anonymized Bluetooth Accessories — abundant by Johannes K. Becker and David Starobinski, the vulnerability impacts Bluetooth accessories active on Windows 10, iOS, and macOS, as well as Fitbit and Apple Watch smartwatches.

The capacity of the analysis were presented bygone at the 19th Aloofness Enhancing Technologies Symposium, Stockholm, Sweden.

The vulnerability allows an antagonist to irenic track a device by base a flaw in the way Bluetooth Low Energy (BLE) is implemented to abstract anecdotic tokens like the device type or other identifiable data from a manufacturer.

BLE is a fairly recent alternative of Bluetooth which was clearly congenital into the blueprint in 2010. The technology is meant to accommodate appreciably bargain power burning while advancement a agnate advice range. Most manufacturers began accumulation BLE in their accessories in 2012.

To make bond amid two accessories easy, BLE uses public non-encrypted announcement channels to advertise their attendance to other nearby devices. The agreement originally admiring aloofness apropos for broadcasting abiding Bluetooth MAC addresses of accessories — a unique 48-bit identifier — on these channels.

However, BLE tried to solve the botheration by absolution device manufacturers use a periodically changing, randomized abode instead of their abiding Media Access Control (MAC) address.

The vulnerability apparent by BU advisers exploits this accessory random MAC abode to auspiciously track a device. The advisers said the “identifying tokens” present in announcement letters are also unique to a device and remain static for long enough to be used as accessory identifiers besides the MAC address.

The “address-carryover” apparatus categorical by Becker and Starobinski leverages the identifiable token that can linked with the accepted abode to the next random abode assigned by the device, thus making it easy for an antagonist to track the device in question.

It also doesn’t crave bulletin decryption or breaking Bluetooth security, as it’s based absolutely on public, unencrypted announcement traffic, the advisers noted.

The algorithm works by alert to admission addresses and tokens as they are advertisement on the BLE announcement channels. After the tokens are extracted by either attractive at the burden advice or isolating a byte arrangement that meets a agreed list of requirements, the algorithm consistently checks the admission announcement abode with the absolute announcement address.

If the addresses match — about acknowledging it’s the same device — the anecdotic tokens are compared and updated. If they don’t, a match is attempted using any of the accessible captured anecdotic tokens as a “pseudo-identity.”

In case of a acknowledged match, the character of the device is adapted with the admission address, thus acceptance the device to be tracked across addresses. If there’s no match, the algorithm terminates.

In their beginning tests, the advisers found that this abode works on Windows, iOS, and macOS systems. Interestingly, Android accessories are absolutely immune from the vulnerability as the operating system never sends out architect specific data or other potentially device-identifying data in those announcement messages.

To assure accessories from address-carryover attacks, the advisers advance device implementations should accord burden changes with MAC abode randomizations.

Read next: Instagram is hiding likes in 6 more countries so you can post like no one’s watching