ABSTRACT

Wireless technologies like Bluetooth Low Energy (BLE) and Wi-Fi are essential to the Internet of Things (IoT), facilitating seamless device communication without physical connections. However, this convenience comes at a cost—exposed data exchanges that are susceptible to observation by attackers, leading to serious security and privacy threats such as device tracking. Although protocol designers have traditionally relied on strategies like address and identity randomization as a countermeasure, our research reveals that these attacks remain a significant threat due to a historically overlooked, fundamental flaw in exclusive-use wireless communication. We define exclusive-use as a scenario where devices are designed to provide functionality solely to an associated or paired device. The unique communication patterns inherent in these relationships create an observable boolean side-channel that attackers can exploit to discover whether two devices “trust” each other. This information leak allows for the deanonymization of devices, enabling tracking even in the presence of modern countermeasures. We introduce our tracking attacks as IDBleed and demonstrate that BLE and Wi-Fi protocols that support confidentiality, integrity, and authentication remain vulnerable to deanonymization due to this fundamental flaw in exclusive-use communication patterns. Finally, we propose and quantitatively evaluate a generalized, privacy-preserving mitigation we call Anonymization Layer to find a negligible 2% approximate overhead in performance and power consumption on tested smartphones and PCs.

Christopher Ellis is a PhD candidate at The Ohio State University, researching networking vulnerabilities and privacy technologies under Prof. Zhiqiang Lin. He previously served as Space Cyber Principal Investigator at Battelle and as Sr. Principal Cyber Engineer at Raytheon CODEX, leading multi-disciplinary teams focused on reverse engineering and vulnerability research. In addition to his technical work, he is an active mentor and speaker, guest lecturing at universities and speaking on industry panels.

Before his career in cyber research, Christopher performed for 12 years as a professional ballet dancer, representing the U.S. in international competitions. An avid adventurer and traveler, he is also a certified PADI Divemaster. He is passionate about innovation, problem-solving, and inspiring the next generation of researchers and engineers.