IoT under Lock and Key: Tracking the Tracker Rapid Identification of Bluetooth Devices Margus Lind I V N E R U S E I T H Y T O H F G E R D I N B U Fourth Year Project Report School of Informatics University of Edinburgh 2017 This work is dedicated to my mother, uncle, grandmother and grandfather. You have always given me all the support I have needed in any way, and have never stopped inspiring me to strive forwards. ii Abstract The entitlement to privacy one might expect in everyday life is constantly being chal- lenged due to the advancements and wide spread adoption of technology in our modern interconnected world. Small gadgets are part of our everyday life, but not often are we concerned with what information those devices could be leaking about us - the de- vice identity itself is sufficient to track the owner. Thus, rapid passive identification of devices creates ways to track the population of a whole area. We propose a highly parallelisable solution for sniffing Bluetooth device addresses capable of rapid device identification. Contrasting to past efforts, our suite is designed to be used for wide-spectrum monitoring with a view on hardware acceleration. Our solution is a custom Software Defined Radio stack capable of monitoring multiple channels in parallel, creating opportunity for advanced analysis of timing correlations between channels. We present conclusions on the work undertaken and the results obtained. Our imple- mentation is evaluated in respect to performance, scalability, false positive rates, miss rates, and a confidence index derived from the latter two metrics. We highlight im- plicit limitations of each of our decisions throughout the report, and give suggestions for future improvements and continued research. iii Acknowledgements Greatest of thanks to my supervisor Dr Paul Patras for the unending patience, support and guidance I have received. This has nurtured my interest in research, and helped me push on towards success. I would like to mention the great support from my family and friends that has kept me going throughout difficulties. Johanna, I can completely understand the frustration you have had to put up with during my long days in the Forum. I wish to thank Toomas Remmelg and Rui Li for helping me understand academic work better and sharing innumerable coffees throughout this project. Additional thanks to both of you for your amazing feedback. Lastly, I would like to mention Robert Petrut Dumitru for helping me overcome my lack of knowledge regarding Digital Signal Processing. iv Table of Contents List of Figures vii List of Tables ix 1 Introduction 1 1.1 Overview . .1 1.2 Aims . .2 1.3 Outcomes . .2 1.4 Contributions . .3 1.5 Outline . .4 2 Background 7 2.1 The Bluetooth Classic Protocol . .8 2.1.1 The Device Address . .9 2.1.2 Packet Structure . 10 2.2 Software Defined Radio . 13 2.2.1 USRP and GNU Radio . 14 2.3 Modulation and Demodulation . 16 2.3.1 The GFSK Modulation Scheme . 17 2.4 Existing Bluetooth Sniffing Tools . 18 2.4.1 BlueZ . 20 2.4.2 gr-bluetooth . 20 2.4.3 Ubertooth One . 21 3 Platform Design 23 3.1 Receiving, Filtering and Demodulating Samples . 24 3.2 Identifying Packets . 27 3.3 Options for Parallelising . 30 v 4 Implementation 33 4.1 GNU Radio Reception Pipeline . 33 4.2 Preamble, Barker Code, and Trailer Pre-calculation . 39 4.3 Access Code Pre-calculation . 39 4.4 Header Pre-calculation . 41 4.5 Packet Detection and Extraction . 41 4.6 Further Packet Verification . 45 5 Evaluation 51 5.1 Computational Performance and Speed . 51 5.2 Design of Experiments . 52 5.3 Proof of Motivation . 55 5.4 Capturing Input . 56 5.5 False Positives . 58 5.6 Miss Rate . 60 5.7 Detection/Discovery Time . 62 5.8 Scalability . 64 6 Conclusion 67 6.1 Tracking People Based on Partial Device Addresses . 67 6.2 Bluetooth Low Energy (Bluetooth Smart) . 68 6.3 Future work . 69 6.4 Final Remarks . 71 Bibliography 73 A Feedback Day Poster 77 vi List of Figures 2.1 Structure of the BD_ADDR......................... 10 2.2 Structure of the Access Code. 12 2.3 Dependence of Preamble and Trailer on Sync Word. 12 2.4 Dependence of Barker code on LAP. 12 2.5 Structure of the packet Header. 13 2.6 USRP B210 . 14 2.7 The uhd_fft spectrum analyser. 16 2.8 Professional Protocol Analysers . 19 2.9 Ubertooth One . 21 3.1 A top level diagram for eavesdropping on a single channel. 24 3.2 A top level diagram for eavesdropping on multiple channels in parallel. 24 3.3 Position of centre frequency relative to intended target. 25 3.4 Differences of Bluetooth and WiFi packets in frequency domain. 26 4.1 GNU Radio pipeline for capturing and extracting a channel. 34 4.2 GNU Radio flow graph for channelized capture and processing. 34 4.3 GUI options used during development. 35 4.4 A Bluetooth packet in frequency domain. 36 4.5 A Bluetooth packet after band pass filtering. 36 4.6 A Bluetooth packet after squelching. 37 4.7 A Bluetooth packet after second band pass filtering. 37 4.8 A Bluetooth packet viewed as an IQ constellation. 38 4.9 Constellation when there is no current BT packet. 38 4.10 Preamble and Trailer mapping generator. 39 4.11 Barker code mapping generator. 40 4.12 Pseudorandom noise LSFR. 41 vii 4.13 Generating an AC from a LAP. 42 4.14 LSFR class design. 43 4.15 HEC LSFR module. 43 4.16 Whitener LSFR module. 44 4.17 Generating all possible headers. 44 4.18 Buffer struct with convenience methods. 46 4.19 Pushing an input bit into the buffer. 47 4.20 Exploring all laps within a Hamming distance. 47 4.21 Pushing an input bit into the buffer. 48 4.22 Verifying header correctness. 49 4.23 Correlating packets to discover UAP. 49 5.1 Layout of the interfaces for experiments. 54 5.2 Out-of-Memory/Disk Full with tmpfs.................. 57 5.3 Number of LAPs detected across background monitoring experiments. 59 5.4 Number of LAPs detected across all experiments. 59 5.5 Number of Inquiry packets detected. 60 5.6 Number of Inquiry packets detected during pairing (normalised). 61 5.7 Confidence index across all experiments. 62 5.8 Confidence index excluding WiFi and Background noise experiments. 63 5.9 Confidence index across all experiments, using our solution’s internal confidence measure. 63 5.10 Fast and Extended Processing with and without Internal Confidence Model (ICM) for detecting known devices during pairing (normalised). 64 6.1 Calculating probability of no collision given a pool size and a sample size. 68 A.1 Feedback Day Poster . 77 viii List of Tables 4.1 Parameters for the GFSK demodulator. 38 4.2 FEC 1/3 decoding lookup table. 48 5.1 Suggested Bit Error Tolerances. 52 5.2 Configuration of USRP boards used during main experiments. 53 5.3 Monitoring paired but out of range devices. 56 6.1 Effect of UAP entropy on collisions during surveillance. 68 ix Chapter 1 Introduction 1.1 Overview Rapid external identification of small portable devices allows for tracking their owners. In this project we implement a way of obtaining identifiable information from the transmissions sent using Bluetooth (BT), a wireless communication protocol widely used for gadgets. Gaining such insights into small portable devices poses a direct security and privacy risk on people carrying wearables. The requirement to trust commercial networks’ operators with one’s privacy in order to use the network has been discussed for decades [1, 2]. Personal networks have not escaped the scrutiny with identification based on Wi-Fi probes explored in [3]. Even in complex environmental settings, it has been shown that positioning people based on signals from devices is possible [4]. This information would help in many benevo- lent causes, for example, smart dynamic lighting and energy management [5], finding co-workers quickly [4, 6], improving public transportation systems [7] or optimising pedestrian routes [8]. On the other hand, tracking people can be considered a direct invasion of privacy, particularly when attempted without prior consent. Undesired use of personal tracking data could include insurers altering premiums based on the fre- quency of visits to surgeries or pubs, advertisers gaining access to even more aspects of personal life, and criminals being able to predict opportune moments. Our privacy in everyday life is constantly challenged with advancements of technology in the modern interconnected world. In many cases, devices are rushed to the market, leaving security and privacy issues as an afterthought. Furthermore, small devices are 1 2 Chapter 1. Introduction limited by processing power, and thus computationally expensive approaches are often not suitable. This limits the methods for establishing a higher standard of security and privacy, even if sought after. As a result, many small portable devices have opted for simpler, but less robust, methods to protect their communications, which in turn may leak information of the devices or even data transmitted. Making such shortcuts leaves the doors open to attacks on both the device and the protocols it uses. 1.2 Aims The purpose of this project is to demonstrate the feasibility of tracking individuals based on portable BT devices’ communications. In order to achieve that we need to detect and sniff packets, and to extract the identifying parameters from the recorded messages. This is complicated due to the obscure nature of BT’s interference mitiga- tion, where the carrier frequency is regularly changed based on parameters not known to agents outwith the Personal Area Network (PAN).