UCL research scrutinises Web Bluetooth API

Lukasz Olejnik, Researcher at UCL Computer Science, has given scrutiny to a new Web Bluetooth API, which stands to be one of the core components of Web of Things, the application layer of Internet of Things. It will enable sensors, beacons and user devices to communicate with each other.

Potential privacy problems according to Lukasz include:

1) Information leaks due to device names. Websites or attackers that can access a Bluetooth-enabled device could determine the owner's real name. Many people use their real names for naming devices, or in some cases, nicknames.

2) Behavioral monitoring. Websites or attackers could query for specific functions, such as the ability to track heart rate, and other sensitive details.

3) Distance monitoring. Websites or attackers can abuse the API's rssi or txPower property to track the user's distance from certain Bluetooth-enabled devices. This would allow a remote attacker to know when a user is at home, at work, or when sleeping.

4) Profiling potential. Websites, attackers, or advertisers could detect a user's living standards and possible wealth based on the devices he shares.

"I expect that a framework making it easy to test, tamper or penetration testing of Bluetooth/IoT/WoT devices will become reality, sooner or later", says Olejnik.

Lukasz Olejnik's comments have been published at 

http://news.softpedia.com/news/new-w3c-web-bluetooth-api-is-a-privacy-nightmare-509805.shtml

and

http://www.dailydot.com/layer8/web-bluetooth-api-privacy-security/