Mobile apps that work with Bluetooth devices have an inherent design flaw that makes them vulnerable to hacking, new research has found.

The problem lies in the way Bluetooth Low Energy devices — a type of Bluetooth used by most modern gadgets — communicate with the mobile apps that control them, said Zhiqiang Lin, associate professor of computer science and engineering at The Ohio State University. Lin presented the findings this week at the Association for Computing Machinery’s Conference on Computer and Communications Security (ACM CCS 2019).

«There is a fundamental flaw that leaves these devices vulnerable — first when they are initially paired to a mobile app, and then again when they are operating,» Lin said. «And while the magnitude of that vulnerability varies, we found it to be a consistent problem among Bluetooth low energy devices when communicating with mobile apps.»

Consider a wearable health and fitness tracker, smart thermostat, smart speaker or smart home assistant. Each first communicates with the apps on your mobile device by broadcasting something called a UUID — a universally unique identifier. That identifier allows the corresponding apps on your phone to recognize the Bluetooth device, creating a connection that allows your phone and device to talk to one another.

But that identifier itself is also embedded into the mobile app code. Otherwise, mobile apps would not be able to recognize the device. However, such UUIDs in the mobile apps make the devices vulnerable to a fingerprinting attack, Lin and his research team found.

«At a minimum, a hacker could determine whether you have a particular Bluetooth device, such as a smart speaker, at your home, by identifying whether or not your smart device is broadcasting the particular UUIDs identified from the corresponding mobile apps,» Lin said. «But in some cases in which no encryption is involved or encryption is used improperly between mobile apps and devices, the attacker would be able to ‘listen in’ on your conversation and collect that data.»

Still, that doesn’t mean you should throw your smartwatch away.

Story Source: Materials provided by Ohio State University. Original written by Laura Arenschield. Note: Content may be edited for style and length.