> We’ve normalised the idea that Bluetooth is always on. Phones, laptops, smartwatches, headphones, cars, and even medical devices constantly broadcast their presence. The standard response to privacy concerns is usually “nothing to hide, nothing to fear.”
I guess anything you send out can be used to profile you.
Some of my friends live on a farm near a semi busy road, however far enough from other farms to not be able to receive their wifi. They showed me their router logging all the wifi accesspoints that appear/disappear. There where A LOT of access points named "Audi", "BMW", "Tesla" etc. similar to those devices leaking bluetooth data. We had a discussion that it would be easy to determine who was passing by at what times due to these especially when you can "de-anonymize" the data for example link it to a numberplate.
I believe shopping malls often use such signals (wifi, bluetooth) to track what your travel pattern through the mall is. They know what section of the store you spend most of your time in and what storefronts you stall at.
You can do this for much cheaper - all four of your tires are broadcasting a unique ID to report tire pressure, the radio to pick it up is cheap (because cars), and TPMS has no facility to randomize or otherwise secure this.
It’s actually even easier, your car has a plate on the front with a unique ID that a camera scans, often to automatically track your park time for ticketing.
I can’t really care about obscure Bluetooth tracking when every business has CCTV doing facial recognition.
Not all cars have active TPMS. my Volvo xc90 had them but in later models they switched back to passive ones. So it is not even a given for higher end models.
>There where A LOT of access points named "Audi", "BMW", "Tesla" etc.
That's one of the funniest things about wardriving with Wigle on your phone. I can often see the SSID of "Jennifer's Equinox", "Jacks Suburban" right after I get cut off by someone in said vehicle. The vast majority of car bluetooth/wifi I see tends to have varying amounts of identifying information. It's almost as bad as the fact that apple still defaults to Jacks iPhone/iPad etc with no option to rename the device until you've finished setting it up.
Companies are not out to protect us with default settings and the majority of users need to wake up to this fact.
This might just be me being uninformed as someone who doesn't drive but how are you seeing what wifi networks are available so quickly right after being cut off? My very naive instinct is that looking at your phone or opening up a menu with the available wifi networks on your car's display seems like it would require a noticeable decrease in attention to the road, so I'd almost expect an uptick in being cut off from other people who are annoyed with your driving.
Small town, phone is on a dash mounted holder. Sometimes I leave Wigle up just to eye every now and then to see how much crap I'm picking up while war driving.
I am not without sin when it comes to driving a car.
> I believe shopping malls often use such signals (wifi, bluetooth) to track what your travel pattern through the mall is. They know what section of the store you spend most of your time in and what storefronts you stall at
In the EU this is forbidden unless they explicitly ask your permission. They can still gather aggregate stats but they cannot build a profile on you.
Don't worry about Tesla's being tracked. Via Bluetooth this has existed for at least 7 years [1] (was mentioned on HN as well). Tesla know (also for 7 years), Musk doesn't care 'since license plates can also be tracked'.
I used it in train stations, and get hits when passing highways via train or bus. Esp. fun if you stand still due to traffic lights or traffic jam, since you can try to get a visual.
The only lesson to be learned here is that it allowed one to learn in 2019 Musk is overrated. But you can also learn that lesson from the book The PayPal Wars which predates this by 15 years.
> I believe shopping malls often use such signals (wifi, bluetooth) to track what your travel pattern through the mall is. They know what section of the store you spend most of your time in and what storefronts you stall at.
> We had a discussion that it would be easy to determine who was passing by at what times due to these especially when you can "de-anonymize" the data for example link it to a numberplate.
You could also read the numberplate directly with OpenALPR. It can be finicky to set up a camera to do this reliably in all conditions (particularly at night and high speed) but once done you could detect any car passing, not just ones with wifi access points.
When the law requires us to have numberplates, I think this just has to be considered public information for anyone who is nearby or can leave a camera nearby. It's not ideal to leak it in additional forms that might be easier for people to grab (say, with an ESP32), but it's a matter of degree rather than of kind.
But yeah, I'm with you on some of these others, particularly the medical devices. That's not great.
There's a difference between public and Public. I go outside with my face visible and I don't mind if my neighbors see me. I do mind if my neighbors stand outside my door with a notepad sketching faces every time they see me or anyone else, especially if they're selling the data. Systematic tracking that isn't subject to the constraints of human memory and apathy fundamentally changes the equation.
> Systematic tracking that isn't subject to the constraints of human memory and apathy fundamentally changes the equation.
I definitely don't approve of mass collection across many cameras, accessible to who-knows-who with minimal if any privacy controls (Flock). But it wouldn't surprise or bother me if my next-door neighbor had ALPR enabled, as long as it's not part of that cloud. YMMV.
Full disclosure: I develop an open source home/hobbyist-oriented NVR, although it doesn't have an ALPR feature or any other analytics today.
There's an Android app that can find devices, make profiles, and you can track location for as long as they're connected. So you can profile passerbys and even get notified when the profile passes through again. I forgot what is was called
Years ago when BT beacons were newish, I was talking to an AdTechBro that wanted to create the ability from Minority Report where the kiosk recognizes a user, not by eye scans but by recognizing mobile device, so they could offer a personalized whatever. The creepiness wasn't something they eased into. It was pretty much instant.
> I believe shopping malls often use such signals (wifi, bluetooth) to track what your travel pattern through the mall is. They know what section of the store you spend most of your time in and what storefronts you stall at.
Yes, I remember Cisco had a product like this all the way back in 2011. They could pinpoint a customer to an exact position inside a store using triangulation, they would know which shelf you spent time in front of etc. In the 15 years since then, I expect the technology is much scarier and intrusive.
I have the opposite experience: GrapheneOS has an option to automatically turn your bluetooth off after a configurable period of not being used. So when I need to use bluetooth, I turn it on like normal. Then, without thinking about it, it automatically turns off. The end result is my bluetooth is only ever on for a couple hours each month when I'm making phone calls.
With iOS the easiest way to make sure it off and stays off is to build a shortcut to cut off wifi/bluetooth. Otherwise it's typically off until you get geolocated as being back home/work and wifi comes back on.
I have a "store mode" button that just kills wifi/bt that I hit before I go into any store.
Peace of mind that I'm not being tracked around the store by wifi/bt, and/or having my device fingerprinted for further identification on future visits.
> even medical devices constantly broadcast their presence
I mean yes, said medical devices are a whole lot less useful to me if they are not transmitting data. For some of this stuff you can't have your cake and eat it too.
I was wardriving my neighborhood and realized my elderly neighbor's CPAP machine is broadcasting some type of BT signal 24/7. I imagine it's transmitting some important stats, but it did make me have a 2nd thought about medical devices being IoT or BT enabled.
Please don’t conflate these two. I have lots of BLE wearables and other sensors. They only send data to my own computer which I control, unlike IoT devices which by definition send to a third party on the Internet. To me it is far more important to protect against strangers on the Internet versus someone wardriving the neighborhood.
On a related note, did you know that EU has a Radio Equipment Directive (RED 2014/53/EU) that came into effect in 2025. It all but guarantees that such Bluetooth communication will be encrypted.
> I have lots of BLE wearables and other sensors. They only send data to my own computer which I control
That's perhaps technically correct, but a naive interpretation of the risk. I don't need to see the data your BLE devices are sending you, all I need is traffic analysis and meta data from the signals they are broadcasting - and they broadcast that to anyone within detection range which includes attackers with much higher gain antennas than you who can likely pick up those broadcasts at ten times the distance any of your devices will communicate at.
"Flying helicopters low and slow over the Tucson desert in Arizona, the FBI has been using "signal sniffers" to try to locate Nancy Guthrie's pacemaker.
As the search for the 84-year-old mother of US Today show anchor Savannah Guthrie entered its third week, investigators took to the sky with advanced bluetooth technology.
They were hoping to pick up signals emitted from the device implanted in Ms Guthrie's chest to help trace her whereabouts, US media outlets NewsNation and Fox News reported."
Because these BLE devices are so cheap that they don’t have storage. And BLE transmission is already very power efficient: the power consumption of BLE is probably the same order of magnitude as powering flash storage.
There’s a middle ground here. There is no technical reason a pacemaker constantly broadcasts itself - there is ways to allow communication to such devices without yelling your name all the time. And there is definitely no reason for such a name to be a unique identifier.
Tangential, sort of: in the early days of mobile phones for the masses, when there was no WiFi/3G in the underground, I will often enable Bluetooth in my phone, look for nearby devices and try to match names and looks.
That was before everyone had their "John's IPhone" or "Samsung A55" boring names everywhere and some of us cared to personalise our device's name.
2006, sat in a job interview. Interviewer says he'll Bluetooth over a file to me - what's by phone's name?
2006, the year that Tool's 10,000 Days had been released, which I was enjoying and, being a bit of an Edge Lord, I'd named my device after a lyric from Vicarious - which, IIRC fit perfectly into the name space and made me very happy:
Yeah, but it stopped pretty soon stores figured out that they could flood you with advertisements over Bluetooth. In some places it was bad enough that I had to turn off Bluetooth.
How did this play out? Were the ads from an app from the store that you had installed? Or did they spam you over SMS because they associated your bluetooth info with an account you have with the store, or contact info they bought from a third party?
> Were the ads from an app from the store that you had installed?
This is my main concern over installing apps in general but specifically store apps. I've noticed that grocery stores are moving past existing loyalty cards and want you to use their apps for exclusively available digital coupons. The prices I'm seeing are very compelling and are on top of existing loyalty card discounts, and I could see lots of people using the app because of it. The assumed amount of abuse keeps me from lemminging my way through the store.
It was interesting to see what people named stuff as even back then I figured you could use that metadata for tracking devices...but even more interesting was looking at the Mac address to see the manufacturer and try and find some rare or cool device.
This is not very different from collecting visual cues. You can notice a delivery van arriving. You can see the driver's face, same with passers-by. The biggest difference is that a camera needs to be more conspicuous, while a BT receiver can be invisible and undetectable. Much cheaper, too.
I have an ESP32 Cam in front of me right now. I think I paid maybe 8 bucks for it. If I wanted to, I could very easily hide the tiny camera in my front door, and use it to both collect bluetooth and wifi metadata (including MAC addresses) and correlate images/faces to MAC addresses when people pass by close enough so that I can identify them later from longer range wifi/ble detections.
(I actually do plan to install this at my front door, but aimed mainly to detect when a deliver/parcel in on my doorstep, and I don't (yet?) plan on sniffing bluetooth/wifi with it)
The part about passively detecting delivery driver patterns from a home office is wild. I knew BLE was chatty but being able to correlate device pairs (phone + watch) to build movement profiles with just a Pi is genuinely unsettling. Makes me want to audit which of my devices are broadcasting when they don't need to be.
Ring: thank you for the idea, "Introducing Ring Face-Off, face masks covering faces during a break-in is no an issue for Ring, we will track the thieves until they reveal their face to our Ring network."
For immediate release: BLE N95 Facemasks Inc (YCombinator Summer 2025) is proud to come out of stealth mode and announce our acquisition by Ring. This follows a major private angel investment by Palintir with a post money valuation of $500 million.
Bluetooth desperately needs mac randomization. Wifi mac randomization is welcome, but it doesn't do much when many (most?) people have bluetooth accessories broadcasting a persistent identifier whenever they're on.
Bluetooth already has a well developed MAC randomization scheme.
Lookup "resolvable private address". The short of it is, your phone can find your headphones or vice-versa, despite one or both having random addresses. The addresses can be regenerated or rotate at an interval (say 15 minutes). The first part of the address is a nonce (pRand), and the rest of the address is a 24-bit hash of pRand with an identity resolving key (IRK). So the other party just listens passively for addresses, and sees if any of them happen to have the right hash.
I don't think this is as airtight as people think it is. Certainly, if you are following somebody and one address disappears right as another appears (rotation), it's quite easy to infer the new/old addresses belong to one device. I tried briefly to convince the Android developers to synchronize that rotation globally.
You can also probably infer that if you see a pair of random MACs arrive, and they have a certain pattern of timing and payload size, you can say with some certainty that they are particular devices, say an iPhone and an Apple Watch. But that requires sophisticated equipment since most Bluetooth LE communication is over a non-cryptographic frequency hopping arrangement.
Lastly, radio fingerprinting is widely known in academia, but requires special equipment.
> Lookup "resolvable private address". The short of it is, your phone can find your headphones or vice-versa, despite one or both having random addresses.
Is that just for the connection phase? Or does it then start publicly broadcasting a persistent MAC onced it's connected, so if you earbuds or watch are connected and communicating with your phoine, would a sniffer see a persisten MAC address or the session randomised one?
That's a problam (one of many problems) with WiFi MAC address randomisation - you can sniff the network names a phone is trying to connect to, then stand up a wifi access point with one of those names and the phone will reveal its real MAC address when it connects. I experimented a long time back with having a raspi that broadcast itself as a McDonalds free wifi access point, a huge number of phones would try to connect while I was out in public with it.
>That's a problam (one of many problems) with WiFi MAC address randomisation - you can sniff the network names a phone is trying to connect to, then stand up a wifi access point with one of those names and the phone will reveal its real MAC address when it connects.
That's not how mac address randomization works now for both android and ios. Both connects with a randomized mac as well, which might be persistent per-network, but it still heavily hampers data collection. For ios specifically, it also seems to have some sort of heuristic to detect which network names are common/guessable, and use a rotating mac for those. Moreover "you can sniff the network names a phone is trying to connect to" isn't really a thing unless the network is using hidden ssid, which isn't the default for almost all routers.
I can assure you this has been talked about and is known and it's why you still find a headset port on devices handed out to government officials, though most of them ignore the advice to not use bluetooth.
About 10 years ago i had HomeAssistant running and thacking my bluetooth devices. It does so per default by jus memorizing a mac adress an recording when it's visible and when not. No need for pairing or anythung. It also stores the custom name if available.
Anyway, the default dashboard also automatically generated a view when my neighbours "Katie's iPhone' was at home and when not, until I actively deleted it and the data it stored.
I suspect the e-scooters left around town (Lime, Bird, etc) are massive Bluetooth / LoRa dragnets. You pay them to increase coverage or visibility to social hot spots.
ran something similar on a home network once and was surprised how many of my neighbors' devices showed up with full manufacturer names and model numbers. you don't even need to try hard.
In my experience, just fine. I recently ran a large (~30k) marathon and my AirPods and watch never glitched once, streaming the whole time including in the packed start corrals. I had the same thought about RF contention, but Bluetooth didn't seem to care.
I read an article in 2012 about the feds (DHS?) placing Bluetooth enabled devices along I5 in Seattle. They were able to make profiles of people based on what Bluetooth devices they had in their cars. Is anyone familiar with this? I've periodically tried to Google it and can't find anything about it
Possible, but they buy data from the carriers with similar profile possibilities. The DEA operates long standing and pervasive surveillance in “drug corridors” like I-95 from Maine to Miami. They do things like LPR and grabbing passenger pictures.
If Bluetooth is used, it may be a way to get a count of passengers or if the passengers change. I know based on newspaper accounts that they are particularly interested in cars that stop in Philly or Baltimore.
This stuff is frequently used against cops too so they may use the tech in similar ways. If you’re someone worried about getting raided, spotting a large number of new signals at the front door is an early warning potentially.
I remember an art exhibit by an online privacy activist made where it’d ping people’s phones to get a list of “known WiFi networks” and then display them on a screen in a room.
Each person would get a unique fingerprint of named network locations
I guess anything you send out can be used to profile you.
Some of my friends live on a farm near a semi busy road, however far enough from other farms to not be able to receive their wifi. They showed me their router logging all the wifi accesspoints that appear/disappear. There where A LOT of access points named "Audi", "BMW", "Tesla" etc. similar to those devices leaking bluetooth data. We had a discussion that it would be easy to determine who was passing by at what times due to these especially when you can "de-anonymize" the data for example link it to a numberplate.
I believe shopping malls often use such signals (wifi, bluetooth) to track what your travel pattern through the mall is. They know what section of the store you spend most of your time in and what storefronts you stall at.
I can’t really care about obscure Bluetooth tracking when every business has CCTV doing facial recognition.
https://rfid.michelin.com/what-is-rfid/
That's one of the funniest things about wardriving with Wigle on your phone. I can often see the SSID of "Jennifer's Equinox", "Jacks Suburban" right after I get cut off by someone in said vehicle. The vast majority of car bluetooth/wifi I see tends to have varying amounts of identifying information. It's almost as bad as the fact that apple still defaults to Jacks iPhone/iPad etc with no option to rename the device until you've finished setting it up.
Companies are not out to protect us with default settings and the majority of users need to wake up to this fact.
I am not without sin when it comes to driving a car.
It can be done, relatively easily.
In the EU this is forbidden unless they explicitly ask your permission. They can still gather aggregate stats but they cannot build a profile on you.
I used it in train stations, and get hits when passing highways via train or bus. Esp. fun if you stand still due to traffic lights or traffic jam, since you can try to get a visual.
The only lesson to be learned here is that it allowed one to learn in 2019 Musk is overrated. But you can also learn that lesson from the book The PayPal Wars which predates this by 15 years.
> I believe shopping malls often use such signals (wifi, bluetooth) to track what your travel pattern through the mall is. They know what section of the store you spend most of your time in and what storefronts you stall at.
Not allowed in EU.
[1] https://www.teslaradar.com/
I'm surprised, I know for a fact that some stores definitely have the ability to do that on their hardware.
You could also read the numberplate directly with OpenALPR. It can be finicky to set up a camera to do this reliably in all conditions (particularly at night and high speed) but once done you could detect any car passing, not just ones with wifi access points.
When the law requires us to have numberplates, I think this just has to be considered public information for anyone who is nearby or can leave a camera nearby. It's not ideal to leak it in additional forms that might be easier for people to grab (say, with an ESP32), but it's a matter of degree rather than of kind.
But yeah, I'm with you on some of these others, particularly the medical devices. That's not great.
I definitely don't approve of mass collection across many cameras, accessible to who-knows-who with minimal if any privacy controls (Flock). But it wouldn't surprise or bother me if my next-door neighbor had ALPR enabled, as long as it's not part of that cloud. YMMV.
Full disclosure: I develop an open source home/hobbyist-oriented NVR, although it doesn't have an ALPR feature or any other analytics today.
i like that a lot, brother, thank you!
https://github.com/BLE-Research-Group/MetaRadar
https://f-droid.org/packages/f.cking.software
Yes, I remember Cisco had a product like this all the way back in 2011. They could pinpoint a customer to an exact position inside a store using triangulation, they would know which shelf you spent time in front of etc. In the 15 years since then, I expect the technology is much scarier and intrusive.
Ever been in an Apple store? Look up. In the dark voids between the edge-to-edge backlit ceiling. There are secrets there. Watching you.
Edit: iOS
I have a "store mode" button that just kills wifi/bt that I hit before I go into any store.
There is also a Bluetooth shutoff app on F-Droid.
https://f-droid.org/en/packages/com.mystro256.autooffbluetoo...
I have also put an Airtag clone in my car (Loshall in iOS mode). That is probably leaking my arrival times. My water meter is also now bluetooth.
Many places do this. The department stores in the mall, target, even grocery stores do it.
I mean yes, said medical devices are a whole lot less useful to me if they are not transmitting data. For some of this stuff you can't have your cake and eat it too.
Please don’t conflate these two. I have lots of BLE wearables and other sensors. They only send data to my own computer which I control, unlike IoT devices which by definition send to a third party on the Internet. To me it is far more important to protect against strangers on the Internet versus someone wardriving the neighborhood.
On a related note, did you know that EU has a Radio Equipment Directive (RED 2014/53/EU) that came into effect in 2025. It all but guarantees that such Bluetooth communication will be encrypted.
That's perhaps technically correct, but a naive interpretation of the risk. I don't need to see the data your BLE devices are sending you, all I need is traffic analysis and meta data from the signals they are broadcasting - and they broadcast that to anyone within detection range which includes attackers with much higher gain antennas than you who can likely pick up those broadcasts at ten times the distance any of your devices will communicate at.
"Flying helicopters low and slow over the Tucson desert in Arizona, the FBI has been using "signal sniffers" to try to locate Nancy Guthrie's pacemaker.
As the search for the 84-year-old mother of US Today show anchor Savannah Guthrie entered its third week, investigators took to the sky with advanced bluetooth technology.
They were hoping to pick up signals emitted from the device implanted in Ms Guthrie's chest to help trace her whereabouts, US media outlets NewsNation and Fox News reported."
https://www.abc.net.au/news/2026-02-16/nancy-guthrie-pacemak...
That was before everyone had their "John's IPhone" or "Samsung A55" boring names everywhere and some of us cared to personalise our device's name.
Anyone else played this game?
2006, sat in a job interview. Interviewer says he'll Bluetooth over a file to me - what's by phone's name?
2006, the year that Tool's 10,000 Days had been released, which I was enjoying and, being a bit of an Edge Lord, I'd named my device after a lyric from Vicarious - which, IIRC fit perfectly into the name space and made me very happy:
> ILikeToWatchThingsDie
Excellent. Still got the job though!
"[Agency-acronym] Surveillance Van #43/44/etc.."
This is my main concern over installing apps in general but specifically store apps. I've noticed that grocery stores are moving past existing loyalty cards and want you to use their apps for exclusively available digital coupons. The prices I'm seeing are very compelling and are on top of existing loyalty card discounts, and I could see lots of people using the app because of it. The assumed amount of abuse keeps me from lemminging my way through the store.
It was interesting to see what people named stuff as even back then I figured you could use that metadata for tracking devices...but even more interesting was looking at the Mac address to see the manufacturer and try and find some rare or cool device.
https://en.wikipedia.org/wiki/Bluejacking
(I actually do plan to install this at my front door, but aimed mainly to detect when a deliver/parcel in on my doorstep, and I don't (yet?) plan on sniffing bluetooth/wifi with it)
Bluetooth already has a well developed MAC randomization scheme.
Lookup "resolvable private address". The short of it is, your phone can find your headphones or vice-versa, despite one or both having random addresses. The addresses can be regenerated or rotate at an interval (say 15 minutes). The first part of the address is a nonce (pRand), and the rest of the address is a 24-bit hash of pRand with an identity resolving key (IRK). So the other party just listens passively for addresses, and sees if any of them happen to have the right hash.
I don't think this is as airtight as people think it is. Certainly, if you are following somebody and one address disappears right as another appears (rotation), it's quite easy to infer the new/old addresses belong to one device. I tried briefly to convince the Android developers to synchronize that rotation globally.
You can also probably infer that if you see a pair of random MACs arrive, and they have a certain pattern of timing and payload size, you can say with some certainty that they are particular devices, say an iPhone and an Apple Watch. But that requires sophisticated equipment since most Bluetooth LE communication is over a non-cryptographic frequency hopping arrangement.
Lastly, radio fingerprinting is widely known in academia, but requires special equipment.
Is that just for the connection phase? Or does it then start publicly broadcasting a persistent MAC onced it's connected, so if you earbuds or watch are connected and communicating with your phoine, would a sniffer see a persisten MAC address or the session randomised one?
That's a problam (one of many problems) with WiFi MAC address randomisation - you can sniff the network names a phone is trying to connect to, then stand up a wifi access point with one of those names and the phone will reveal its real MAC address when it connects. I experimented a long time back with having a raspi that broadcast itself as a McDonalds free wifi access point, a huge number of phones would try to connect while I was out in public with it.
That's not how mac address randomization works now for both android and ios. Both connects with a randomized mac as well, which might be persistent per-network, but it still heavily hampers data collection. For ios specifically, it also seems to have some sort of heuristic to detect which network names are common/guessable, and use a rotating mac for those. Moreover "you can sniff the network names a phone is trying to connect to" isn't really a thing unless the network is using hidden ssid, which isn't the default for almost all routers.
Anyway, the default dashboard also automatically generated a view when my neighbours "Katie's iPhone' was at home and when not, until I actively deleted it and the data it stored.
https://www.reddit.com/r/homeassistant/comments/1306pcw/home...
Even wilder would be to buy data on you in real time and display that.
Is there a simple CLI interface that can be redirected or pipelined into other tools ?
> Bluetooth mesh networks—no internet required, no servers, no phone numbers
LLM slop. Both the article and the Python script
Like a marathon mass-start with 10,000 sometimes 20,000 or more people
How does bluetooth handle that? Or it doesn't?
If Bluetooth is used, it may be a way to get a count of passengers or if the passengers change. I know based on newspaper accounts that they are particularly interested in cars that stop in Philly or Baltimore.
This stuff is frequently used against cops too so they may use the tech in similar ways. If you’re someone worried about getting raided, spotting a large number of new signals at the front door is an early warning potentially.
Each person would get a unique fingerprint of named network locations