Christopher Ellis (The Ohio State University), Yue Zhang (Drexel University), Mohit Kumar Jangid (The Ohio State University), Shixuan Zhao (The Ohio State University), Zhiqiang Lin (The Ohio State University)

Wireless technologies like Bluetooth Low Energy (BLE) and Wi-Fi are essential to the Internet of Things (IoT), facilitating seamless device communication without physical connections. However, this convenience comes at a cost—exposed data exchanges that are susceptible to observation by attackers, leading to serious security and privacy threats such as device tracking. Although protocol designers have traditionally relied on strategies like address and identity randomization as a countermeasure, our research reveals that these attacks remain a significant threat due to a historically overlooked, fundamental flaw in exclusive-use wireless communication. We define _exclusive-use_ as a scenario where devices are designed to provide functionality solely to an
associated or paired device. The unique communication patterns inherent in these relationships create an observable boolean side-channel that attackers can exploit to discover whether two devices “trust” each other. This information leak allows for the deanonymization of devices, enabling tracking even in the presence of modern countermeasures. We introduce our tracking attacks as _IDBleed_ and demonstrate that BLE and Wi-Fi protocols that support confidentiality, integrity, and authentication remain vulnerable to deanonymization due to this fundamental flaw in exclusive-use communication patterns. Finally, we propose and quantitatively evaluate a generalized, privacy-preserving mitigation we call _Anonymization Layer_ to find a negligible 2% approximate overhead in performance and power consumption on tested smartphones and PCs.

View More Papers

A Key-Driven Framework for Identity-Preserving Face Anonymization

Miaomiao Wang (Shanghai University), Guang Hua (Singapore Institute of Technology), Sheng Li (Fudan University), Guorui Feng (Shanghai University)

Read More

The (Un)usual Suspects – Studying Reasons for Lacking Updates...

Maria Hellenthal (CISPA Helmholtz Center for Information Security), Lena Gotsche (CISPA Helmholtz Center for Information Security), Rafael Mrowczynski (CISPA Helmholtz Center for Information Security), Sarah Kugel (Saarland University), Michael Schilling (CISPA Helmholtz Center for Information Security), Ben Stock (CISPA Helmholtz Center for Information Security)

Read More

Ghidra: Is Newer Always Better?

Jonathan Crussell (Sandia National Laboratories)

Read More