“It is unpleasant knowing that others, that you don’t know, are able to track you via Bluetooth. It never crossed my mind”, an individual the NRK has identified through their headphones says.
Right next to Bislett Stadium, one of Norway’s most well-known sporting arenas, someone is wearing a pair of the popular headphones from Bose called QuietComfort 35. It is a little before four o’clock on a Wednesday in February, and the weather is below freezing.
Completely without the owner’s knowledge, their headphones are beaming out its unique name and identity on a frequency humans can’t hear.
Today, at this precise spot in Oslo, someone is listening in and registering all the messages being sent from nearby Bluetooth devices. This technology is enabling phones, headsets, and speakers to talk to each other wirelessly.
62 days later, the same Bose headphones are at another place in Oslo. In the intersection between Badebakken and Bergensgaten, seven messages are broadcast, making it possible to determine that this is the same device seen near the stadium.
On several occasions, student and IT enthusiast Bjørn Martin Hegnes has been carrying equipment for listening in on Bluetooth and WiFi messages for an academic project. His goal was to investigate how many of us can be tracked in secret without even noticing.
“I was surprised how easy it is to track all the accessories you can connect to a phone. It can be a bathroom scale or a headset”, Hegnes says.
Hegnes has shared 1.7 million intercepted Bluetooth messages with the NRK, who have then done further analysis. The number might seem high, but it only reflects the almost continuous exchange of messages sent via Bluetooth. In short, the messages show that:
- At least 9149 products with Bluetooth transmitters were uniquely recognized at least 24 hours apart.
- At least 129 headphones could be tracked in the dataset for longer than 24 hours.
- Popular headphones models from Bose, Bang & Olufsen, Jabra, Sennheiser and JBL can be tracked over longer periods of time.
The data were collected by Hegnes that travel by bike throughout Oslo with a Bluetooth receiver. The first couple of trips were used to test the device and the procedures, then he endeavored on a 300-kilometer-long trip over 12 days. The antenna picked up Bluetooth messages within a radius of 100 meters. To NRK, Hegnes says he would have used a car next time.
Privacy risks
The reason some digital devices can be tracked over time, is because they don’t change something called their MAC address on regular intervals. This address is making each Bluetooth device unique, and is used so products can communicate with each other.
“For people that are in a vulnerable situation, this is especially scary. This shows that it doesn’t help to just change your phone number. Somebody could just drive around and search for MAC addresses to fridges, laptops, smart TVs, and headsets”, Hegnes says.
The last couple of years, more devices have begun hiding and frequently changing their unique identifiers on a regular basis.
“One of the reasons phones began changing MAC addresses, was because the Snowden revelations were showing that the NSA were mapping individual persons’ movement by tracking the MAC addresses of their smartphones”, Eivind Arvesen says.
Arvesen, who is the group cyber security manager at Sector Alarm, has a long background in the field of privacy engineering, which is about making products and services more secure and privacy friendly.
He states that there are several reasons why a device might be trackable over time. To a certain extent, some of it is because there are different Bluetooth standards, and only newer versions allow for frequently changing the MAC address. Also, there are no requirements forcing manufacturers to change this address at regular intervals.
“It is frightening how little is evidently needed to continuously map the whole of Oslo, Arvesen says, referring to the commercial availability of Bluetooth modules that can listen to messages sent up to one kilometer away.
Last year, NRK reported that the company Nye Veier were tracking Bluetooth messages to measure travel time on several sections of public roads. Nye Veier ended these measurements after NRKs story, but similar systems are still in use by Avinor to measure time through airport security.
The products are for sale
Several of the headphones which could be tracked over time are for sale in electronics stores, but according to two of the manufacturers NRK have spoken to, these models are being phased out.
“The products in your line-up, Elite Active 65t, Elite 65e and Evolve 75e, will be going out of production before long and newer versions have already been launched with randomized MAC addresses. We have a lot of focus on privacy by design and we continuously work with the available security measures on the market”, head of PR at Jabra, Claus Fonnesbech says.
“To run Bluetooth Classic we, and all other vendors, are required to have static addresses and you will find that in older products,” Fonnesbech says.
Jens Bjørnkjær Gamborg, head of communications at Bang & Olufsen, says that “this is products that were launched several years ago”.
“All products launched after 2019 randomize their MAC-addresses on a frequent basis as it has become the market standard to do so”, Gamborg says.
Still, some manufacturers like Sennheiser have yet to start the phase out.
“Our headphones which use Bluetooth Low Energy technology currently work with static Bluetooth/MAC addresses. Starting with the next product releases in the first quarter of 2022, randomized Bluetooth/MAC addresses will be used for all our new headphones”, Maik Robbe, a communications manager from Sennheiser, says.
“The use of randomized Bluetooth/MAC addresses is still relatively new in the consumer electronics industry. This functionality was introduced within the last few years and has only recently reached a sufficient maturity of implementation”, Robbe says.
Older devices, such as phones and tablets, would not recognize the headphones if they changed MAC addresses, according to Robbe. This would have «heavily diminished the user experience» since the user had to reconnect the devices on every use.
JBL confirms through a spokesperson from the owner-company Harman that the specific product uses Bluetooth Classic.
“As a global company, our products are compliant with applicable regulations wherever our products are distributed”, the spokesperson says.
NRK has tried to get a comment from Bose which did not want to respond to our questions.
These products are affected:
- Bang & Olufsen: Beoplay E8, Beoplay H7, Beoplay H8i, Beoplay H9
- Jabra: Elite Active 65t, Jabra Elite 65e, Jabra Evolve 75e
- Bose: QuietComfort 35, QuietComfort 35 II
- JBL: JBL Reflect Mini NC
- Sennheiser: Momentum True Wireless 2, Momentum 3
Don’t give the devices your name
“I am warning against using your first or last name on Wi-Fi routers or phone accessories, as that could make identifying you easier”, Hegnes says.
His research has shown that at least 36 people have given their Bluetooth device their full name. Many more have used their first name, last name, or other potentially identifying information.
Using such a unique name could make you trackable even if the MAC address is changing at regular intervals. NRK identified and contacted the owner of a Bose headset by their full name.
The owner did not want to be named, but he said to NRK: “It is unpleasant knowing that others, that you don’t know, are able to track you via Bluetooth. It never crossed my mind.”
Story updated with statement from JBL.