top | item 31686969

(no title)

DINKDINK | 3 years ago

comments are focusing on the protocol's message content which is not the source of the ability to track broadcasters. The ability comes from detecting nuances in the RF signal:

>BLE [snip] imperfections are introduced by the shared I/Q frontend of the chipset (Figure 1). They result in two measurable metrics in BLE and WiFi transmissions: Carrier Frequency Offset (CFO) and I/Q imperfections, specifically: I/Q offset and I/Q imbalance.

links to the paper:

https://cseweb.ucsd.edu/~nibhaska/papers/sp22_paper.pdf

https://www.researchgate.net/publication/360655420_Evaluatin...

Git repo: https://github.com/ucsdsysnet/blephytracking

discuss

femto|3 years ago

Section IV of the paper, "Challenges", is interesting reading. As expected CFO displays a strong temperature dependence, causing wrong identifications. Further, I/Q characteristics tend to be close for a given chipset, so I/Q imperfections are more or less identifying the chipset. It's easy to detect different models of phone, but harder to detect individual phones. It doesn't strike me as a serious threat (yet).

A fun exercise would be to synthesise the detection of all phones in the area. By monitoring CFO over a period of time for lots of phones distributed over an area, maybe it would be possible to build a temperature profile of the area under surveillance and compensate the CFO measurements for temperature. Whilst crystals do drift with temperature, the frequency of a given crystal is highly repeatable as a function of temperature.

mleonhard|3 years ago

Does this mean that a listener can know whether the phone is indoors, outdoors, in a warm pocket, or held in the hand?