๐Ÿฆท

What Your Bluetooth Devices Reveal About You

How Life Patterns, Location, and Behavior Are Tracked Through BLE Signals Alone

Bluetooth devices continuously broadcast Advertising Packets to announce their presence. These packets contain MAC address, device name ("Jack's iPhone"), manufacturer ID, BLE service UUIDs (device types like heart rate monitors, glucose meters), and signal strength (RSSI). Bluehood is a Python-based educational BLE scanner developed shortly after KU Leuven researchers disclosed the WhisperPair vulnerability (CVE-2025-36911, enabling remote hijacking/location tracking of hundreds of millions of BT audio devices). It detects nearby devices through passive scanning (listening only, no connections), classifies device types via Vendor+UUID fingerprinting, filters randomized MAC addresses, and logs appearance/disappearance patterns in SQLite. The web dashboard (:8080) visualizes time-based heatmaps, dwell times, and correlated devices (phone+watch pairs that always appear together), with ntfy.sh push notifications for specific device arrival/departure. Deployable instantly via Docker, the creator ran it in passive mode at home and was able to identify delivery vehicle arrival times and whether it was the same driver, neighbors' commute patterns, and device combinations that appear together. Hearing aids, pacemakers, and vehicle diagnostic modules cannot have BT turned off and continuously broadcast, while even privacy apps like Briar and BitChat require BLE activation, creating the paradox of "the protection tool becomes the exposure path".

Architecture Diagram

BLE Advertising Packet: What is broadcast?
๐Ÿ“ฑ
BLE Device
Continuously broadcasts without pairing
))))
MAC Address
AA:BB:CC:DD:EE:FF
Device Name
"Jack's iPhone 15"
Manufacturer ID
Apple / Samsung / ...
Service UUID
Heart rate / Glucose / ...
RSSI (Signal Strength)
-40dBm (close) ~ -90dBm (far)
Passive Collection: One Raspberry Pi is enough
๐Ÿ“ฑ
Smartphone
โŒš
Watch
๐Ÿš—
Vehicle
๐Ÿซ€
Medical
)))) BLE Signal ))))
๐Ÿ“
BLE Receiver
Raspberry Pi / ESP32
Laptop + Bluehood
๐Ÿ—„๏ธ
SQLite DB
MAC, device name, time
RSSI, dwell time
Pattern Analysis: What metadata reveals
๐Ÿ 
Home empty hours
Device disappearance pattern
๐Ÿšš
Delivery arrival time
Same driver identification
๐Ÿ‘ฅ
Visitor patterns
Regular visit detection
โฐ
Commute hours
Device appear/disappear
๐Ÿ“ฑ+โŒš
Device combo
Same user identification
๐Ÿช
Movement tracking
Already commercial in malls
MAC Randomization: Defense & Bypass
Defense (modern devices)
Resolvable Private Address
Periodic MAC address rotation
iOS/Android native support
Bypass (still trackable)
Infer same device via rotation timing
Device combo pattern (phone+watch appear together)
Medical/vehicles use fixed MAC
Bluehood: BLE Exposure Demo Tool
Educational scanner developed right after KU Leuven WhisperPair vulnerability (CVE-2025-36911) disclosure
BLE Passive Scan
Listen only, no connection
Device Classification
Vendor + UUID fingerprint
Random MAC Filter
Separate random addresses
SQLite Storage
Appear/disappear timestamps
Web Dashboard
:8080 heatmap/analysis
Passive Scan
No connection/interaction
Device Classification
Phone/Watch/Vehicle/IoT/Medical
Time Heatmap
Hourly/daily patterns
Dwell Time
Time spent per device
Associated Device Detection
Pairs that always appear together
Push Notifications
ntfy.sh integration
# Run directly with Docker
$ git clone https://github.com/dannymcc/bluehood.git
$ cd bluehood && docker compose up -d
# Check dashboard at http://localhost:8080
Devices you can't turn off: Users have no choice
๐Ÿฆป
Hearing Aids
BLE for remote control/diagnosis
๐Ÿซ€
Pacemaker
Broadcasts even after death
๐Ÿš
Vehicles/Logistics
Always-on for diagnostics
โŒš
Smartwatch
Can't work without BT
๐Ÿ•
Pet GPS
Phone connection required
Privacy Paradox: Privacy apps like Briar and BitChat require BLE โ€” the protection mechanism is the exposure path
Key takeaway: Keeping Bluetooth on = continuously broadcasting your location and lifestyle patterns. Anyone with a Raspberry Pi can collect it

How It Works

1

BLE devices periodically broadcast Advertising Packets (including MAC, device name, UUID, RSSI)

2

Bluehood collects packets in passive scan mode โ€” listening only, no connection/interaction (no pairing needed)

3

Auto-classify device types via Vendor ID + BLE service UUID fingerprint (phone/watch/vehicle/medical/IoT)

4

Detect and filter randomized MAC addresses โ†’ isolate only fixed MAC devices as tracking targets

5

Record appearance/disappearance timestamps in SQLite, analyze time-based heatmaps, dwell time, and correlated devices

6

Pattern visualization on web dashboard (:8080) + ntfy.sh push notifications for specific device arrival/departure

Pros

  • Tracking possible with passive collection only (no pairing needed)
  • Implementable with inexpensive equipment (Raspberry Pi, ESP32)
  • More covert than visual surveillance as signals penetrate walls
  • Can identify device type and manufacturer
  • Long-term pattern analysis reveals lifestyle habits

Cons

  • MAC randomization makes tracking newer devices increasingly difficult
  • Limited signal range (Class 2 BLE: ~10m)
  • Difficult to distinguish between devices in dense environments
  • Legal constraints โ€” tracking without explicit consent prohibited in EU, etc.
  • Metadata alone has limitations for personal identification (additional info needed)

Use Cases

Shopping mall customer flow tracking (already commercialized) Traffic volume measurement (vehicle speed calculation via BT/EZ-Pass signals) Smart building occupancy detection Theft prevention / lost item tracking (AirTag, Find My) Security audit โ€” checking BLE device exposure within organizations

References

Related

๐Ÿ“ถ
How Does Location Sensing via WiFi CSI Work?
Using Physical Layer Data of WiFi Signals Like Radar
๐Ÿ“ถ How Does Location Sensing via WiFi CSI Work? ๐Ÿ“ Diagram Pattern Comparison