It’s probably lurking in your favourite smartband or smartwatch, and it’s beaming out a signal to everyone around you, like it or not. Why Bluetooth Low Energy or BLE could be a serious security flaw.
What is Bluetooth Low Energy (BLE)?
As the name suggests, BLE is a low-powered spin-off of Bluetooth, designed to transmit a signal over short range distances while sucking very little energy. It’s commonly found on modern fitness trackers, a perfect match as these devices are compact, with dinky batteries, yet are constantly relaying information to and from your smartphone.
So what’s the problem?
As this Contextis blog points out, it’s all too easy to tap into a BLE device owned by someone close by, for instance to track their location. All you need is an app and you’re good to go.
So for instance, if you were able to identify your boss’ Fitbit, you could set up an alert every time he or she wanders into range. Good news if you’re paranoid that your superiors will catch you playing Stick Cricket instead of working.
Likewise, journalists, stalkers and ne’er-do-wells could use the tech to track celebrities, politicians and other important figures. In fact, the Chinese military has apparently been warned to keep away from wearables for just this reason.
It’s even possible to snag personal info from a device using BLE, including health and general activity data, if a thief were so inclined.
BLE can also be used to beam messages to a smartphone when the owner passes by an ‘iBeacon’ transmitter, something already used by the likes of Apple and BA. Stride into British Airway’s lounge in supported airports and your boarding pass app will automatically ping up the WiFi password – that’s a message transmitted over BLE, straight to your handset.
While BLE isn’t currently used to send spam messages or adverts to consumers, we’re only a short step away. You’ll need to have an appropriate app installed to pick up such messages of course, but it’s perfectly possible for manufacturers or providers to smuggle such apps onto your phone when they sell it to you. Seemingly innocent apps could also have the feature squirrelled away, so you don’t even know it’s there until you start receiving special offers for half-price tampons.
Which devices are affected and how do I check if my phone/wearable is pumping out a BLE signal?
The Contextis blog pointed out a wide range of fitness wearables that throw out a BLE signal, including FitBit, Jawbone and Nike products, as well as the humble Apple iPhone (and possibly the Apple Watch).
To check if you have any BLE-emitting gadgets, you can download this handy Android app which scans the local area. A BLE signal can usually be found up to 100m from a vulnerable device. We turned on the RaMBLE scanner on our commuter train and picked up over 20 devices, all iPhones, in just a few minutes.