this post was submitted on 15 Oct 2024
132 points (95.2% liked)

News

23314 readers
3594 users here now

Welcome to the News community!

Rules:

1. Be civil


Attack the argument, not the person. No racism/sexism/bigotry. Good faith argumentation only. This includes accusing another user of being a bot or paid actor. Trolling is uncivil and is grounds for removal and/or a community ban. Do not respond to rule-breaking content; report it and move on.


2. All posts should contain a source (url) that is as reliable and unbiased as possible and must only contain one link.


Obvious right or left wing sources will be removed at the mods discretion. We have an actively updated blocklist, which you can see here: https://lemmy.world/post/2246130 if you feel like any website is missing, contact the mods. Supporting links can be added in comments or posted seperately but not to the post body.


3. No bots, spam or self-promotion.


Only approved bots, which follow the guidelines for bots set by the instance, are allowed.


4. Post titles should be the same as the article used as source.


Posts which titles don’t match the source won’t be removed, but the autoMod will notify you, and if your title misrepresents the original article, the post will be deleted. If the site changed their headline, the bot might still contact you, just ignore it, we won’t delete your post.


5. Only recent news is allowed.


Posts must be news from the most recent 30 days.


6. All posts must be news articles.


No opinion pieces, Listicles, editorials or celebrity gossip is allowed. All posts will be judged on a case-by-case basis.


7. No duplicate posts.


If a source you used was already posted by someone else, the autoMod will leave a message. Please remove your post if the autoMod is correct. If the post that matches your post is very old, we refer you to rule 5.


8. Misinformation is prohibited.


Misinformation / propaganda is strictly prohibited. Any comment or post containing or linking to misinformation will be removed. If you feel that your post has been removed in error, credible sources must be provided.


9. No link shorteners.


The auto mod will contact you if a link shortener is detected, please delete your post if they are right.


10. Don't copy entire article in your post body


For copyright reasons, you are not allowed to copy an entire article into your post body. This is an instance wide rule, that is strictly enforced in this community.

founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] Monument@lemmy.sdf.org 9 points 1 month ago* (last edited 1 month ago) (1 children)

Info dump incoming!

Basically, your phone is a big ol’ slut.

I’m not as well versed with WiFi, but phones are set up to be very friendly with Bluetooth. Every Bluetooth device your phone sees, it says hello to. Most phones these days don’t really disable Bluetooth (they just limit its active use), or they disable it for a limited time period.

This is ostensibly fine, since Bluetooth supposedly identifies itself with a MAC address that isn’t necessarily tied to your identity. Unless you connect to something with Bluetooth that knows your identity, like a smart speaker, or have given Bluetooth permissions to any apps you’re logged into.

BLE positioning with sensors utilizes BLE-enabled sensors that are deployed in fixed positions throughout an indoor space. These sensors passively detect and locate transmissions from BLE smartphones, asset tracking tags, beacons, personnel badges, wearables and other Bluetooth devices based on the received signal strength of the transmitting device. This location data is then sent to the central indoor positioning system (IPS) or real-time location system (RTLS). The location engine analyzes the data and uses multilateration algorithms to determine the location of the transmitting device. Those coordinates can be used to visualize the location of a device or asset on an indoor map of your space or leveraged for other uses depending on the specific location-aware application.
Some random website - inpixon.com

That’s not to say that every place you go is deploying BLE beacons to know you spent 20 minutes looking at candy when you were supposed to be making a quick run to get milk, but it’s possible that is occurring. And if it is occurring, it’s likely they’re working with some sort of data broker to deanonymize your data. Or at the very least, making their own inferences - using that loyalty card and a BLE beacon to know that the loyalty info put into a register corresponds to your MAC address.
What’s not likely, however, is that this data is public. Your data has value, so they don’t want to let it go for free, plus if the general public knew they could be tracked almost anywhere, there might be enough outcry for lawmakers to adopt better consumer privacy laws.

Editing to add: Even if you aren’t being precisely tracked within a retail location, a single ping on a Bluetooth device is enough to establish that your phone was within 30-50 feet of the device, which is apparently all the police need to send you to jail for 20 years.

I hope you’ve enjoyed your tour of this info dump. Tin foil hats are on sale at the gift shop!

[–] Baleine@jlai.lu 3 points 1 month ago (1 children)

Thanks for the clarification, does this also work with wifi ?

[–] Monument@lemmy.sdf.org 5 points 1 month ago (1 children)

~~That’s where I know I don’t know enough to respond.~~

Well, crap. I just looked it up. Looks like phones will send out your MAC address when looking for WiFi networks to connect to, and they more or less always search for WiFi, unless currently connected to WiFi.

So - yeah. Same issues with Bluetooth.

And some newer consumer routers do all sorts of funky things under the hood in the name of security, which includes sending information about traffic back to their corporate home base. That could easily also include MAC addresses of passing devices. (Or telling the manufacturer every site you visit. Very fun now that the latest trend in routers is to require cloud connections and accounts, so your identity with them is ‘known’.)

[–] theterrasque@infosec.pub 3 points 1 month ago* (last edited 1 month ago)

Most phones these days use randomized MACs

https://www.guidingtech.com/what-is-mac-randomization-and-how-to-use-it-on-your-devices/

Not sure if that is for BT too, but looks like there is some support for it in the standards

https://novelbits.io/how-to-protect-the-privacy-of-your-bluetooth-low-energy-device/

https://novelbits.io/bluetooth-address-privacy-ble/

The recommendation per the Bluetooth specification is to have it change every 15 minutes (this is evident in all iOS devices).

So seems like it is implemented on some phones at least

https://www.bluetooth.com/blog/bluetooth-technology-protecting-your-privacy/

From 2015. So this seems to be a solved problem for a decade now