The vulnerability has to do with the way Bluetooth-enabled devices pair with each other. In that relationship, one device serves as the central connection and the other plays a peripheral role. The peripheral device sends out a signal that contains a unique address -- similar to an IP address -- and data about the connection. Most devices produce a randomized address which automatically reconfigures periodically. That's meant to protect users' privacy, but the BU researchers found that, using an open-source "sniffer" algorithm, they could identify Bluetooth connections even when their addresses changed.
While the vulnerability doesn't leak personal data, it could be used to track Bluetooth devices and their users. Android might get a pass here. The researchers say Android devices don't appear to be vulnerable, but Windows 10 and iOS devices can be tracked. Fitbit users have it the worst. According to the researchers, Fitbits don't automatically update or randomize their addresses, making them even easier to track.
A Fitbit spokesperson provided the following statement to Engadget: "As the leader in connected health and fitness category, Fitbit is committed to protecting consumer privacy and keeping data safe. The trust of our customers is paramount and we carefully design security measures for new products, continuously monitor for new threats, and rapidly respond to identified issues."
The company also said that Fitbit devices aren't able to share personally identifiable information for any users, and the company believes it would be extremely difficult to actually stalk someone using this method. "Bluetooth Low Energy (BLE) technology is widespread and allows all types of devices to connect easily without draining battery power. It's important to note that this technology can only be used to confirm that an active tracker is nearby. No personally identifiable information is shared or accessible. It's highly unlikely that someone could stumble across a particular device, know who it belongs to, and track the device's movement," the company's statement says. Finally, Fitbit is keeping an eye on the situation and monitoring for any security breaches: "We are not aware of any consumer reports, inquiries or security incidents related to this issue and will continue to monitor it carefully," Fitbit's spokesperson said.
As a silver lining, thwarting this security gap can be as simple as turning off your Bluetooth connection and then turning it on again -- at least for Windows 10 and iOS devices. And don't get ready to ditch your Bluetooth gadgets just yet. As BU researcher Johannes Becker points out, "There are tons of ways to track people, with or without Bluetooth." But it's important to be aware of the signals you're sending out and who might have access to your sensitive information.
Update, 7/18/19, 1:45PM ET: This story has been updated with a statement from Fitbit.