Bluetooth Tracking

Most people tracking solutions don’t track the actual person, but rather something that they carry (a ‘tag’).  This means that we need to get everyone carrying a tag to get wide scale tracking.  Bluetooth tracking has emerged as a popular solution because (nearly?) all mobile phones have Bluetooth capabilities.  Thus the phone becomes the tag and the deployment problems go away.

So how does Bluetooth tracking traditionally work? Remember that Bluetooth was designed to connect pairs of devices in close proximity.  When two devices are to be paired, the first step is to make one of the devices discoverable.  This means that if any other device sends out a Bluetooth search query (effectively asking “who is out there?”), the discoverable device will reply.  Subsequently you can set up a connection between those devices.

The idea behind tracking is to keep your phone discoverable and place a series of other Bluetooth devices (‘base stations’) around.  These base stations continually query for discoverable devices and report back any replies they see to some central point.  They never proceed to the connection phase: they just scan.  You are ‘tracked’ because the limited range of Bluetooth means that, if base B can see you, you must be near the position of B.

This is all very well, but there are issues with this approach:

  • Keeping a phone discoverable means anyone can ’see’ your phone.  So anyone could potentially track you.  Worse, Bluetooth hasn’t proved to be particularly secure and a discoverable phone is a vulnerable one..!
  • Some phones cannot be left discoverable indefinitely (by design)
  • The base stations constantly scan the Bluetooth radio spectrum, which adversely impacts any ‘real’ Bluetooth connections.

Tracking without Discoverability

In 2009, Simon Hay (a PhD student) and I proposed a possible solution to tracking without relying on phones being discoverable. Look below for the full paper with all the technical details, but here’s the basic idea:

The Bluetooth connection process usually looks like:

  1. Scan for discoverable devices
  2. Select device of interest
  3. Establish a low level ‘L2CAP’  connection
  4. Negotiate security (passcodes or whatever)
  5. Establish a full connection

What we’re interested in is action 3. The phones support being told to establish an L2CAP connection given the device ID (which is like the MAC address in ethenet).  So, whilst a scan is like asking “what discoverable devices are in range”, establishing an L2CAP connection to device X is like asking “is device X in range?”.

Our solution uses a database of phone IDs and a set of base stations that localise phones based on intelligent attempts to establish L2CAP connections. The phones aren’t discoverable, and you have to opt-in to being tracked  by supplying their IDs.

Technical Details

You can delve into the gory technical details in the paper: Download PDF