Professional Documents
Culture Documents
Abstract—Despite the widespread use of Bluetooth technology, In this paper, we present BlueID – a practical system that
identity management of Bluetooth devices remains a significant identifies Bluetooth devices by fingerprinting their clocks. Due
challenge because the MAC address and name of Bluetooth device to manufacture imperfections, clocks designed to run at the
are easy to forge. In this paper, we present BlueID – a practical
system that identifies Bluetooth devices by fingerprinting their same rate may drift from each other. The difference of real
clocks. Previous approaches to clock fingerprinting exclusively rely running rates between clocks is defined as clock skew. Previous
on the timestamps carried by packet headers, which can be easily studies show that clock skews can be used to fingerprint
spoofed by hacking the user-space device driver. In comparison, PCs [19] and 802.11 access points [11]. However, existing
BlueID performs clock fingerprinting based on the temporal fea- approaches to clock fingerprinting exclusively rely on the
ture of Bluetooth frequency hopping, which is impossible to forge
without a customized baseband. Due to the proprietary nature timestamps carried by packet headers, which can be easily
of chipset firmware that implements baseband on commodity spoofed by hacking the user-space device driver. In comparison,
Bluetooth devices, BlueID will significantly raise the bar of identity BlueID performs clock fingerprinting based on the temporal
spoofing. Moreover, BlueID employs simple yet efficient techniques feature of Bluetooth baseband. Specifically, Bluetooth baseband
to detect and differentiate low power Bluetooth transmissions from divides the wireless channel into short time slots, and switches
a distance, making it suitable for mobile applications like energy
efficient localization and tracking. BlueID is implemented on a the center frequency of communication every slot. Packet trans-
low cost wireless development platform and extensively evaluated mission is aligned with the start of time slot. Exploiting this
based on 56 commodity devices. We show that BlueID can detect feature, BlueID can extract transmitter clock skew by measuring
Bluetooth radios from 100m away, and identify different devices the rate at which received packets drift away from the slot
with high accuracy, short delay, and low computational overhead. boundary. Due to the proprietary nature of chipset firmware that
Although this paper focuses on Bluetooth, the design of BlueID
is general and can be applied to other frequency hopping based implements Bluetooth baseband on commodity devices, BlueID
wireless systems. will significantly raise the bar of identity spoofing. Although
this paper focuses on Bluetooth, the idea of BlueID is general
I. I NTRODUCTION and can be applied to other frequency hopping based wireless
Bluetooth [5] is the de facto wireless technology for personal systems.
area networking of smart devices. It is reported that more To realize BlueID, several practical challenges must be
than two billion Bluetooth-ready devices were shipped during addressed. First, Bluetooth is designed for short range com-
2012 – over 50 millions every day [3]. With the widespread munications. The difficulty in identifying low power Bluetooth
use of Bluetooth technology, identity management of Blue- radios from a distance hinders a wide range of applications
tooth devices is becoming increasingly important. First, reliable that track mobile users using Bluetooth. To address this issue,
identification of Bluetooth device is critical to the privacy of BlueID fingerprints Bluetooth transmitters by timestamping
Bluetooth users. Recent studies show that Bluetooth users are their packet preambles, which can be done at an extremely
susceptible to identity spoofing based attacks [1] [2]. For exam- low signal level, and hence significantly extends the detection
ple, by forging the MAC address of Bluetooth radio, a malicious range. Second, Bluetooth preamble detections suffer substantial
device can pretend to be the Bluetooth headset of a smartphone false positives, where noises are wrongly identified as packet
and thereby trick the victim phone to call back the attacker, preambles. To avoid false detections affecting fingerprinting ac-
allowing for eavesdropping on conversations. Second, device curacy, BlueID employs an efficient filtering algorithm, which
identification is the basic building block for a wide range of leverages the knowledge from Bluetooth specification to re-
mobile applications [12] [13] [17]. For instance, by deploying move false detections. Third, when many Bluetooth users exist
cheap Bluetooth detectors in a mall, service providers can track in the same environment, it is challenging to differentiate their
users by actively probing and identifying their Bluetooth radios, packets based on preambles. To separate preambles transmitted
enabling energy efficient consumer counting and personalized by different devices, BlueID employs a powerful classification
advertising. Similarly, Bluetooth radios can be pre-deployed as algorithm [10], and makes it practical by optimizing its compu-
localization anchors in a large building, allowing mobile users tation and storage overhead. Finally, to improve the accuracy
to locate themselves with low energy cost. of device identification, BlueID employs a novel fingerprint-
2850
IEEE INFOCOM 2014 - IEEE Conference on Computer Communications
clock skew, the baseband controller of slave calibrates its clock 600 600
Phase (us)
Phase (us)
using master packets periodically. 450 450
300 300
B. BlueID Overview 150 150
BlueID fingerprints the clock of Bluetooth device based on 0 0
0 5 10 15 20 0 5 10 15 20
the temporal feature of Bluetooth frequency hopping. In a
piconet, all packet transmissions are scheduled by the master Timestamp (second) Timestamp (second)
device based on its own clock. Ideally, the packet interval (a) Before noise filtering. (b) After noise filtering.
should be 625kμs, where k is a positive integer. However, due Fig. 2. Effect of noise filtering on Bluetooth preamble detections.
to the effect of clock skew, the packet intervals observed by (e.g., for the application to authenticate a known device), or
other Bluetooth devices are always drifted from 625kμs. By can be estimated when the device is first detected (e.g., for
measuring the rate of such drift, BlueID can estimate the clock tracking an unknown Bluetooth user).
skew of piconet master, extracting the device fingerprint. How-
ever, fingerprinting slave devices is more challenging because IV. D ESIGN OF B LUE ID
slaves continuously calibrate their clocks to keep synchroniza- In this section, we introduce the design of BlueID in detail.
tion once paired with the master. Although the current design
of BlueID does not incorporate slave fingerprinting, it will not A. Filtering False Positive Preamble Detections
affect the utility of BlueID. We will discuss the implications of During preamble detections, BlueID may falsely recognize
BlueID for master and slave modes in Section VI-A. noises as preambles, causing false positive detections. Fig. 2(a)
To perform clock fingerprinting, BlueID employs a Bluetooth illustrates the effect of noise on preamble detections. Each point
radio for traffic sniffing, and then extracts clock skews to in the figure represents a detected preamble. The phase of a
identify the master devices of nearby piconets. BlueID is not preamble detected at time t is defined as the offset of t to the
required to pair with or hop along with the target devices. Bluetooth time slot, calculated as p = t mod 625 μs, where t
Instead, BlueID listens on one of the 79 Bluetooth channels, is measured using the clock of BlueID. For Bluetooth devices
and then sniffs packets when other devices switches to the synchronized to the same master clock, the phases of their
monitored channel during frequency hopping. preambles will be linearly increasing or decreasing with time,
Fig. 1 shows the system architecture of BlueID. BlueID depending on the clock skew between BlueID and the master.
is composed of two major components, including preproces- As shown in the figure, three Bluetooth links are observable
sor and fingerprinter. During the preprocessing stage, BlueID during our measurements. However, the detection is heavily
timestamps overheard Bluetooth transmissions by logging the disturbed by significant noise.
time when a packet preamble is detected. Because pream- To address this problem, BlueID leverages the prior knowl-
ble detection can be done at an extremely low signal level, edge of Bluetooth specification to filter out false positive
timestamping preambles rather than the overheard packets can detections. The basic idea is as follows. Suppose two preambles
significantly extend the detection range of BlueID. However, are detected at time ti and tj , respectively. If both preambles
such design also raises two challenges for accurate finger- are transmitted by devices synchronized to the same master
printing. First, Bluetooth preamble detection yields high false clock, then their phase difference will be upper-bounded by
positive rate, as noises are often wrongly identified as pream- 40×|ti −tj | μs. This is due to the clock skew constraint imposed
bles. Second, when many Bluetooth users exist in the same by Bluetooth specification [5], which requires all commercial
environment, it is difficult to differentiate their packets based off-the-shelf Bluetooth devices to limit their clock skews within
on preambles. To address these issues, BlueID employs a simple ±20 ppm. Due to the burstiness of application traffic, true
yet efficient noise filter to remove the timestamps of false preambles will be detected with small phase differences within
positive detections. The filtered detections are then processed a short time window. While for false preambles, their phases
by the preamble separator to separate preambles of different are randomly distributed within [0, 625)μs. Consequently, given
piconets. a false preamble detected at t, the probability of observing a
BlueID employs an accuracy-aware fingerprinter, which es- number of preambles with small phase differences to t is small.
timates the clock skew for each piconet master, estimates the Based on this observation, we propose a simple yet efficient
fingerprinting error, and then identifies the master devices. noise removal algorithm. Specifically, the detector buffers the
First, the clock skew estimator derives master clock skews timestamps of detected preambles in a moving time window of
based on the preprocessed clock samples. For fine-grained one second. Let t0 be the smallest timestamp in the window,
characterization of fingerprint accuracy, BlueID employs the and n be the number of timestamps whose phase differences
error analyzer to estimate the distribution of measurement to t0 are within ±20 μs. The detector removes t0 if n is less
errors. Based on the results, the device identification component than a pre-defined threshold N .
calculates the difference between the estimated clock skew and We now discuss how to choose the threshold N . Assuming a
a fingerprinting reference to determine whether the piconet false preamble is detected at time t, we use dt to denote the set
master matches a given device. The fingerprinting reference of preamble detections within the one second time window of
can be profiled if BlueID was paired with the device before (t, t + 1]. Let n be the number of false detections in dt whose
2851
IEEE INFOCOM 2014 - IEEE Conference on Computer Communications
Intercept (×10 )
Intercept (×10 )
Intercept (×10 )
4 200 4 100 4 40
2
2 150 2 75 2 30
0 100 0 50 0 20
-2 50 -2 25 -2 10
-4 0 -4 0 -4 0
-40 -20 0 20 40 -40 -20 0 20 40 -40 -20 0 20 40
-6 -6 -6
Slope (×10 ) Slope (×10 ) Slope (×10 )
Fig. 3. The results of iteratively applying GHT on the filtered preamble detections shown in Fig. 2(b). Each bin in the figure represents a line featured by the
intercept and slope. Bin brightness indicates the number of votes, i.e., number of preamble detections falling into the bin. In each round of GHT, the bin of
most votes are separated out and removed from the data set. The separated points are shown in Fig. 4.
Round-1 Round-2 Round-3 the number of points fallen into each bin. Bins of high densities
600 imply the existence of lines.
Phase (us)
2852
IEEE INFOCOM 2014 - IEEE Conference on Computer Communications
it cannot measure transmitter clock skew in a fine granularity. we can use Eq. (1) to estimate clock skew, where Cy (Δti ) can
We now discuss how to extract clock skew after preamble be obtained by reading the clock value of BlueID.
separation. The clock skew between two clocks is defined as
D. Analysis of Estimation Error
the difference between their actual running rates. Let Cx (t)
be the amount of time reported by clock x for a groundtruth The accuracy of clock skew estimation could be affected
time period t. The clock skew between clocks x and y can by several error sources, such as the random delays occurred
be computed as φx,y = Cx (t)/Cy (t), where φx,y is typically inside the hardwares of transmitter and BlueID, the small time
expressed in microseconds per second (μs/s), or parts per deviations of slave packet transmissions induced by imperfect
million (ppm). synchronization, as well as the false positive preamble detec-
Let t be the time when a packet transmission is scheduled tions that accidentally survive noise filtering. Although estima-
on a Bluetooth device, and t the time when BlueID detects its tion accuracy could be improved using long time measurement,
preamble. We have t = t + d, where d is a random delay that this is often impractical due to the prohibitive delay incurred.
includes the signal propagation delay and the delay incurred in Therefore it is important for BlueID to analyze the accuracy
the transmitter and receiver hardwares. Given a pair of packets, of clock skew estimation, and then account for its impact in
their time interval measured at BlueID is Δt = Δt+Δd, where device identification.
Δd is a random jitter with mean zero. Let x and y be the clocks In the following, we introduce the fine-grained characteriza-
of the piconet master and BlueID. Their clock skew can be tion of clock skew estimation error. Specifically, we prove the
(Δt)
expressed as φx,y = CCyx(Δt Cx (Δd)
) + C (Δt ) . Given n packet pairs,
Lyapunov central limit theorem (CLT) for the estimation error
y
the sum of random jitter Δd approaches zero when n goes e given in Eq. (1). Therefore, the range of e can be estimated
large. As a result, we can estimate the clock skew φx,y and the using normal distribution.
corresponding estimation error e as follows, Given n pairs of detected preambles, we define the random
variable X = Cx (Δd), and Yi = X/αi , where αi = Cy (Δti )
1 Cx (Δti ) 1 Cx (Δdi )
φx,y = , e= (1) 1μs. Let σn2 = E(Yi2 ). The order-4 Lyapunov’s condition can
n 1≤i≤n Cy (Δti ) n 1≤i≤n Cy (Δti )
be proved as follows,
where Cy (Δti ) can be obtained using the clock of BlueID. 1 1≤i≤n αi
4
lim E(Yi4 ) = lim A × 2
= 0, (5)
To estimate the clock skew using Eq. (1), a key problem n→∞ σn4 n→∞ ( 1≤i≤n αi )2
1≤i≤n
is how to reverse Cx (Δti ), the clock value of piconet master.
4
BlueID achieves this goal by exploiting the temporal feature where A = EE(X ) 1
2 (X 2 ) is a constant. Therefore, we have σn Yi ∼
of Bluetooth FHSS. Because Bluetooth transmission always N (0, 1). As a result, the clock skew estimation error e follows
2
begins at the start of time slot, we have, normal distribution, e ∼ N (0, σnn ), where σn can be estimated
Cx (Δti ) = k × 625μs, (2)
as follows,
n
2
2 625ki
σn = 1− − φx,y , (6)
where k is a positive integer. Let z be the groundtruth clock, i=1
Cy (Δti )
i.e., Cz (t) = t, k can be derived as follows,
where Cy (Δti ) can be obtained using the BlueID clock, ki is
Cx (Δti ) − Cx (Δdi ) (1 − φx,y )Cy (Δti )
− (1 − φx,z )Δdi the only integer in Eq. (4), and φx,y is estimated in Eq. (1).
ki = = ,
625μs 625μs
(3) E. Device identification
Based on the results derived in Section IV-C and Section
where φx,z is the skew between clock x and the groundtruth IV-D, the device identification component of BlueID calculates
clock z. As defined in Bluetooth specification [5], the random the difference between the estimated clock skew and a given
delay di must be smaller than 20μs. Thus we have |Δd| ≤ fingerprint reference. We represent the fingerprint as λ =<
20μs. Moreover, based on the clock skew constraint, we have φ, s2 >, where φ is the estimated clock skew, and s2 = σn2 /n
|φx,z | ≤ 20ppm and |φx,y | ≤ 40ppm. Putting them together, can be computed using Eq. (6). n is the number of preambles
we can compute the range of k using the BlueID clock, used for clock skew estimation. Given two fingerprints, denoted
as λx =< φx , s2x > and λy =< φy , s2y >, BlueID derives
0.99996Cy (Δti ) 1.00004Cy (Δti ) their difference using the Bhattacharyya distance, which is
ki ∈ − 0.032, + 0.032 , (4)
625μs 625μs a common measure for the similarity of two distributions.
Specifically, it is computed as,
When Cy (Δti ) ≤ 7.3s, k can be determined because there is at
most one interger in the region defined in Eq. (4). 1 1 s2x s2y 1 (φx − φy )2
DB (λx , λy ) = ln ( 2 + 2 + 2) + . (7)
Therefore, for the i-th pair of detected preambles whose 4 4 sy sx 4 s2x + s2y
interval is shorter than 7.3s, we can reverse the clock value of
piconet master for this interval by finding the integer ki in Eq. In the application of BlueID, we can impose a threshold
(4), and then take it into Eq. (2) to compute Cx (Δti ). Finally, on Bhattacharyya distance for device identification. If the
2853
IEEE INFOCOM 2014 - IEEE Conference on Computer Communications
clock skews between two devices is greater than the threshold, To address such security concerns, a simple yet efficient
then they are identified as different devices. We will evaluate approach is to put privacy critical Bluetooth devices into slave
the impacts of threshold selection on the accuracy of device mode during communication, which will effectively avoid the
identification in Section VII-C. issue of clock exposure. Even if the clock skew is known to an
attacker, the security risk is controllable at the authentication
V. B LUE ID I MPLEMENTATION stage. Specifically, to enable BlueID-assisted authentication,
We have implemented BlueID with 619 lines of C code in Bluetooth devices should insist on using slave mode when
BlueZ [4] – an open source user-space Bluetooth driver of receiving a connection request, allowing BlueID to fingerprint
Linux. Preamble filtering and separation are performed based and authenticate the requesting device when negotiating the
on a time window of one second. To separate preambles of connection.
different piconets, the bin size of GHT is set to 1ppm×5μs. B. Fabrication of Clock Skews
In order to timestamp the preambles of Bluetooth packets,
BlueID is interfaced to Ubertooth [6] – an open source 2.4 GHz We now discuss the feasibility of fabricating clock skews
wireless development platform that costs about $90. Ubertooth using an unauthorized Bluetooth device through driver modi-
is mainly composed of a LPC1700 microcontroller and a low- fication. As we discussed in previous section, compared with
power CC2400 wireless transceiver, which is compliant with the existing clock fingerprinting approaches [14] [11], a key ad-
radio layer of latest Bluetooth specification [5]. To timestamp vantage of BlueID is that it extracts clock skews from Blue-
preambles, we employ the sniffing tool provided by Ubertooth tooth baseband, which must be implemented in the chipset
firmware. The sniffer records the value of a 10 MHz clock firmware due to the time criticality of FHSS. In Bluetooth,
whenever a Bluetooth preamble is received, and then reports the device driver cannot control the time when a packet is
the clock value to a laptop running BlueID through a high actually transmitted. This is because the baseband controller
speed USB port. will forcibly align the packet on the start of a time slot
For efficient preamble detection, the listening channel of defined by the chipset clock. Although the baseband controller
Ubertooth is carefully configured by BlueID to address the of slave device will calibrate its clock to synchronize itself
cross-standard interference of coexisted devices. For example, with master, the master-slave connection cannot be established
when WiFi transmitters are active in the same environment, without authentication. As a result, clock skew fabrication is
Adaptive Frequency Hopping (AFH) enabled Bluetooth pi- impossible for unauthorized devices without customizing the
conets will avoid the channels used by WiFi during frequency chipset firmware. Because of the proprietary nature of chipset
hopping. In this case, listening on those channels will decrease firmware, BlueID will significantly lift the bar of Bluetooth
the success rate of preamble detection, leading to longer finger- identity spoofing.
printing delay. In real-life WLANs, most access points use one C. Deployment on Commodity Device
of three orthogonal 802.11 channels, including channel 1, 6, and
Major operations of BlueID, including preprocessing and
11, which overlap with 60 out of 79 Bluetooth channels. Based
fingerprinting, can be implemented in user-space device driver.
on this observation, BlueID initially configures Ubertooth to
To deploy BlueID on commodity Bluetooth device, the only
use one of the 19 channels that are not interfered by WiFi.
modification needed in chipset firmware is to have the chipset
When strong un-decodable signal is detected, BlueID quickly
report its clock value when detecting a Bluetooth preamble. As
switches the listening channel until a clear channel is found.
we discussed earlier, deploying BlueID on commodity devices
VI. D ISCUSSION will enable a wide range of mobile applications for low energy
localization and user tracking. Moreover, BlueID will signif-
In this section, we discuss important issues related to the icantly benefits existing authentication protocols. Meanwhile,
design, application, and deployment of BlueID. the security risk of BlueID is easily controllable.
A. Security Implications for Master and Slave Modes VII. E VALUATION
The ability of BlueID to identify the piconet masters based In this section, we evaluate BlueID based on a set of 56
on their clock skews may raise security concerns. In fact, commodity Bluetooth devices, including two wireless headsets,
knowing the identity of a target device is the prerequisite 37 USB adapters, and built-in radios in four laptops, eight
of many Bluetooth based attacks [1]. A common practice to smartphones, and five tablets. Among these devices, 32 USB
secure Bluetooth is to put the device into invisible mode, adapters are of the identical model. Devices of the same model
where the device identity is never exposed to untrusted parties. are typically more challenging to differentiate because of the
During packet transmission, encryption is often enabled to similarity in the characteristics of their hardware clocks. Our
conceal the device MAC address from eavesdropper. However, evaluation focuses on three aspects of BlueID performance,
fingerprinting systems like BlueID could compromise such de- including: (1) How effectively does BlueID detect and separate
sign. In particular, BlueID is able to extract device fingerprints Bluetooth preambles? (2) What is the overhead of BlueID? and
by simply timestamping their packet preambles, even without (3) How efficient is clock fingerprinting for Bluetooth device
decoding their packets. identification?
2854
IEEE INFOCOM 2014 - IEEE Conference on Computer Communications
1 1.5 1
Normalization ratio
Preamble detection rate
0.8 After Bluetooth goodput 0.8
filtering
1
0.6 0.6
CDF
CDF
Before
0.4 filtering 0.4 Avg=0.094 ppm
0.5
0.2 0.2
0 0 0
-8 -4 0 4 8 12 5 10 15 20 25 ... 100 0 0.1 0.2 0.3 0.4 0.5 0.6
SNR (dB) Distance to the transmitter (meters) Clock skew error (ppm)
Fig. 5. Amount of false preamble detections Fig. 6. Comparison of BlueID detection range and Fig. 7. Error of clock skew measurement when
before and after noise filtering. Noise is quantified Bluetooth communication range. The preamble de- multiple piconexts coexist in the same environ-
using signal-to-noise ratio (SNR), which is the ra- tection rate and Bluetooth goodput are normalized ment.
tio between the numbers of true and false preamble to the results measured at 5m.
detections calculated in dB.
A. Preamble Detection and Separation of detected preambles per second after filtering. In Fig. 6, both
preamble detection rate and Bluetooth goodput are normalized
Filtering false preamble detections. We first evaluate how
to the results measured at 5m. We observe that Bluetooth
efficiently BlueID removes false preamble detections. Our ex-
goodput drops to zero when the LinkSys adapter is about 25m
periments are conducted on 30 piconets composed of different
away from the latptop. In comparison, BlueID reliably detects
Bluetooth devices. In each piconet, we deploy a Ubertooth
Bluetooth preambles when it is 100m away from the laptop.
node to detect preambles, and then apply the filtering algorithm
This result clearly demonstrates the advantage of preamble-
described in Section IV-A to remove false preamble detections.
based detection adopted by BlueID. The long detection range
To obtain the ground truth of whether a detected preamble is
can also lead to practical Bluetooth-based localization and
noise, we use Ubertooth [6] to decode the received signal, and
tracking applications.
then extract the sender MAC address. The amount of noise is
quantified using signal-to-noise ratio (SNR), which is calculated Separating preambles of different piconets. Next, we evalu-
as 10 log10 nnTF , where nT and nF are the numbers of true ate how accurately BlueID separates the preambles of different
and false preamble detections, respectively. Fig. 5 compares the piconets. We construct a synthetic data set by mixing the
SNRs before and after noise filtering. As shown in the figure, preambles detected in 12 piconets, and then apply the algorithm
the SNR is significantly improved after filtering. Specifically, introduced in Section IV-B for preamble separation. We observe
the average SNRs before and after filtering are -4.9dB and that the average error rate of separation is only 4.3%. We
7.9dB, respectively. Filtering boosts SNR by 12.8 dB. further study the impact of separation error on clock skew
Although false positive preamble detections cannot be com- measurement. We first measure the clock skew for each piconet
pletely removed by the filter component, its impact on the master before mixing the detected preambles. The results are
performance of device identification is limited. First, BlueID then used as the ground truth to evaluate the clock skews
employs a line detection based algorithm to separate preambles measured in the synthetic data set. Fig. 7 plots the distribution
(see Section IV-B). Noise preambles not clustered in the line of measurement error. As shown in the figure, the average error
will be ignored after separation. Second, BlueID employs is only 0.094ppm.
an accuracy-aware fingerprinting scheme, which characterize B. Overhead of BlueID
measurement errors, and accounts for their impacts in device We now evaluate the overhead of BlueID, including the
identification. measurement delay and the computational overhead.
Detection range of BlueID. To measure the clock skew of Measurement delay. We first study the measurement delay
a transmitter, BlueID sniffs and timestamps packet preambles, of BlueID, i.e., the time needed by BlueID to achieve accu-
which can be done at an extremely low signal level. A key rate clock skew measurement. We characterize measurement
motivation of this design is to extend the detection range of accuracy using the length of 95% confidence interval. Clearly,
BlueID, which is particularly crucial when identifying low- measurement delay depends on the packet rate of Bluetooth
power Bluetooth radios. application. High packet rate typically yields short measure-
Fig. 6 compares the detection range of BlueID with the ment delay. Our experiments are conducted based on two
communication range of a commodity Bluetooth device. Our representative types of Bluetooth traffic, including TCP-based
experiment is conducted in an outdoor soccer field, where a data traffic and UDP-based voice traffic.
Lenovo T430S laptop is deployed to transmit a large file over Fig. 8 shows the measurement time needed to achieve dif-
Bluetooth. The receiving sensitivity of Ubertooth is comparable ferent levels of clock skew accuracy. To limit the measurement
to Class-1 Bluetooth radios. For a fair comparison, we compare error within 0.1ppm, BlueID needs only 21 seconds of data
the detection range of Ubertooth to a LinkSys Bluetooth traffic monitoring, and 65 seconds for voice traffic.
adapter, which is a Class-1 device equipped with an external Such delay can be further reduced. Current design of BlueID
antenna. The preamble detection rate is defined as the number uses a single detector to monitor one of 79 Bluetooth channels,
2855
IEEE INFOCOM 2014 - IEEE Conference on Computer Communications
100 100 and -12.25ppm during our measurement. The average clock
80 80 skews are -12.00ppm, -12.03ppm, and -12.05ppm, respectively.
Delay (sec)
Delay (sec)
60 60 We further conduct a large-scale measurement to study the
40 40 clock skew variations in our device set. Fig. 10 shows the
20 20 distribution of clock skew variations within one hour. We
0 0 observe that the variation is within 0.5ppm for all devices.
1.0 0.5 0.2 0.1 1.0 0.5 0.2 0.1
The average variation is only 0.205ppm. As we will show
Clock skew error (ppm) Clock skew error (ppm)
later, such variations will not affect the performance of device
(a) Data traffic. (b) Voice traffic. identification.
Fig. 8. Delay needed to achieve different levels of measurement accuracy.
Difference of clock skews across devices. Next, to further
Day-1 Day-2 Day-3 validate the consistency of clock skew on Bluetooth devices, we
compare the clock skew variations observed on individual de-
-11.5
Clock skew
2856
IEEE INFOCOM 2014 - IEEE Conference on Computer Communications
1 108 1.5
Cross-distance True Positive Rate
Bhattacharyya dist
0.8 Self-distance False Positive Rate
106
Probability
1
0.6
CDF
2857