Google and Apple have jointly submitted a proposed industry specification to prevent the misuse of Bluetooth location-tracking devices for unwanted tracking.
More specifically, the two tech firms want to make unwanted tracking leveraging Bluetooth trackers easily detectable to alert users they are being tracked.
Bluetooth trackers have become increasingly popular for helping users locate personal items such as keys, purses, and luggage. While these devices provide convenience and peace of mind, they also pose potential dangers to consumers. The technology can be misused for unwanted tracking, allowing malicious actors to monitor an individual’s movements, belongings, and habits. This can lead to privacy breaches, stalking, and other harmful situations.
Google and Apple have recognized the dangers associated with the misuse of Bluetooth trackers and have taken collaborative action to address this issue. The new specification proposal has been submitted to the portal of the Internet Engineering Task Force (IETF), where experts in the field will review it over the next three months.
The proposal will then take its final form based on comments and recommendations. The two consumer tech giants will incorporate it into their respective mobile operating systems, iOS and Android, hopefully before the end of the year, generating unwanted tracking alerts to protect users. Already, companies with a stake in Bluetooth tracking products like Samsung, Tile, Chipolo, eufy Security, and Pebblebee have expressed their support for the draft specification.
The proposed specification includes various security considerations to address the risks associated with Bluetooth trackers. One key concern is the serial number look-up, which provides vital information for users encountering unwanted tracking notifications. To maintain privacy and prevent misuse, the serial number look-up should only be available in separated mode for a paired accessory. Accessing the serial number over long-range wireless interfaces like Bluetooth should require user action, while NFC may allow access due to the close proximity. Moreover, the accessory should provide only non-identifiable data to non-owner requesting devices, encrypted and unlinkable, to protect user privacy and prevent tracking.
For additional confidentiality, obfuscated owner information provides potential victims with limited information about the owner of the location tracker while respecting the privacy of accessory owners. Serial number look-up over Bluetooth LE aims to balance the owner’s privacy with the ability to empower potential victims by requiring the accessory to be in a separate state and a physical action to enable serial number retrieval. Additionally, rotating the resolvable and private addresses of the location-enabled payload reduces the risk of nefarious stable identifier tracking.
The Internet Engineering Task Force (IETF) will create a new registry group called “Unwanted Tracking Protocols (UTP)” that includes the “Manufacturer Protocol ID” and “Product Data” registries. New entries in these registries will be assigned based on expert review. The entries will contain important fields such as manufacturer name, protocol ID, product data, disablement instructions, and serial number look-up information.
Other details in the specification define the device capabilities, transmission types and intervals, Bluetooth advertisement MAC address rotation policies, and non-owner finding features, and describes time-related actions like exiting near-owner mode after 30 minutes of lost proximity (physical separation) with the owner.
For those who want to dive deep into the technical paper that lays out all the aspects of the proposal, you may find the draft here.
Apple’s and Google’s proposed specification is a significant step toward addressing the privacy and security risks associated with Bluetooth trackers, which despite the efforts to address them for years now, have remained unresolved at a generic level.
Until the proposed specification is adopted and transformed into tangible user-protection features, Android users, who are currently more vulnerable compared to Apple users due to iOS having a reasonably effective anti-tracking system against AirTags, are advised to use the AirGuard app. This app, developed by a team of university researchers in Germany, offers adequate protection against unwanted tracking while respecting the user’s privacy. Alternatively, Apple has also published an anti-tracking app on Google Play. However, it should be noted that users report Apple’s app on Android is not working consistently, and has not received an update for over a year.