Lost and found: stopping bluetooth finders from leaking private information

Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks Pub Date : 2020-05-17 DOI:10.1145/3395351.3399422

Mira Weller, J. Classen, Fabian Ullrich, Denis Wassmann, Erik Tews

{"title":"Lost and found: stopping bluetooth finders from leaking private information","authors":"Mira Weller, J. Classen, Fabian Ullrich, Denis Wassmann, Erik Tews","doi":"10.1145/3395351.3399422","DOIUrl":null,"url":null,"abstract":"A Bluetooth finder is a small battery-powered device that can be attached to important items such as bags, keychains, or bikes. The finder maintains a Bluetooth connection with the user's phone, and the user is notified immediately on connection loss. We provide the first comprehensive security and privacy analysis of current commercial Bluetooth finders. Our analysis reveals several significant security vulnerabilities in those products concerning mobile applications and the corresponding backend services in the cloud. We also show that all analyzed cloud-based products leak more private data than required for their respective cloud services. Overall, there is a big market for Bluetooth finders, but none of the existing products is privacy-friendly. We close this gap by designing and implementing PrivateFind, which ensures locations of the user are never leaked to third parties. It is designed to run on similar hardware as existing finders, allowing vendors to update their systems using PrivateFind.","PeriodicalId":165929,"journal":{"name":"Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks","volume":"10 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3395351.3399422","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 12

Abstract

A Bluetooth finder is a small battery-powered device that can be attached to important items such as bags, keychains, or bikes. The finder maintains a Bluetooth connection with the user's phone, and the user is notified immediately on connection loss. We provide the first comprehensive security and privacy analysis of current commercial Bluetooth finders. Our analysis reveals several significant security vulnerabilities in those products concerning mobile applications and the corresponding backend services in the cloud. We also show that all analyzed cloud-based products leak more private data than required for their respective cloud services. Overall, there is a big market for Bluetooth finders, but none of the existing products is privacy-friendly. We close this gap by designing and implementing PrivateFind, which ensures locations of the user are never leaked to third parties. It is designed to run on similar hardware as existing finders, allowing vendors to update their systems using PrivateFind.

查看原文本刊更多论文

失物招领:阻止蓝牙查找器泄露私人信息

蓝牙探测器是一种由电池供电的小型设备，可以安装在包、钥匙链或自行车等重要物品上。查找器与用户的手机保持蓝牙连接，并且在连接丢失时立即通知用户。我们提供了第一个全面的安全和隐私分析，目前商用蓝牙查找器。我们的分析揭示了这些产品中涉及移动应用程序和相应的云后端服务的几个重大安全漏洞。我们还表明，所有分析的基于云的产品泄露的私人数据都超过了其各自云服务所需的数据。总的来说，蓝牙查找器有很大的市场，但现有的产品都没有隐私友好型。我们通过设计和实现PrivateFind来缩小这一差距，它确保用户的位置永远不会泄露给第三方。它被设计为运行在与现有查找器类似的硬件上，允许供应商使用PrivateFind更新他们的系统。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks

自引率

0.00%

发文量