Blue's Clues: Practical Discovery of Non-Discoverable Bluetooth Devices

Bluetooth is overwhelmingly the protocol of choice for personal area networking, and the Bluetooth Classic standard has been in continuous use for over 20 years. Bluetooth devices make themselves Discoverable to communicate, but best practice to protect privacy is to ensure that devices remain in Non-Discoverable mode. This paper demonstrates the futility of protecting devices by making them Non-Discoverable. We introduce the Blue's Clues attack, which presents the first direct, non-disruptive approach to fully extracting the permanent, unique Bluetooth MAC identifier from targeted devices in Non-Discoverable mode. We also demonstrate that we can fully characterize device capabilities and retrieve identifiers, some of which we discover often contain identifying information about the device owner. We demonstrate Blue's Clues using a software-defined radio and mounting the attack over the air against both our own devices and, with institutional approval, throughout a public building. We find that a wide variety of Bluetooth devices can be uniquely identified in less than 10 seconds on average, with affected devices ranging from smartphones and headphones to gas pump skimmers and nanny-cams, spanning all versions of the Bluetooth Classic standard. While we provide potential mitigation against attacks, Blue's Clues forces a reassessment of over 20 years of best practices for protecting devices against discovery.