QIF-T0091

high

BLE physical-layer device fingerprinting (radio frequency imperfection tracking)

Tier 3 — Demonstrated (Lab-proven)

Legacy status: DEMONSTRATED

Every Bluetooth Low Energy (BLE) transmitter has unique analog imperfections in its radio hardware: carrier frequency offset (CFO), I/Q imbalance, power amplifier nonlinearity, and phase noise characteristics. These imperfections are manufacturing artifacts that are stable, unique per device, and impossible to change via software — they are the RF equivalent of a fingerprint. Becker et al. (2022) demonstrated that BLE physical-layer fingerprinting can track devices even when using MAC address randomization (the privacy feature specifically designed to prevent tracking). This defeats Apple's and Google's BLE privacy protections. Attack scenario: passive BLE receivers at strategic locations (malls, airports, streets) fingerprint passing devices. The user's phone continuously advertises BLE (for AirDrop, Find My, COVID exposure notifications), and each advertisement carries the device's unchangeable RF fingerprint. This enables persistent location tracking despite all software-level privacy measures.

Technique Details

Tactic: QIF-S.FP
Status: DEMONSTRATED
Bands: S1, S2, S3

✚ Therapeutic Application

Passive BLE receiver extracts unique physical-layer radio imperfections (CFO, I/Q imbalance) from BLE advertisements to track devices despite MAC address randomization

Neural Impact

3 of 7 neural bands affected

S1 S2 S3

Drag to rotate. Click a region to learn more.

Click or hover over a glowing region to see the attack techniques targeting it and their severity.

Scoring

NISS v1.1 NISS:1.1/BI:N/CR:N/CD:N/CV:I/RV:F/NP:N

CVSS v4.0 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

2.0Low

Governance

Neurorights at Risk

This technique threatens 1 of the 4 proposed neurorights (Ienca & Andorno, 2017).

MP Mental Privacy

Consent Complexity

0.24 / 4.0

FDORA §3305 Compliance

Cyber Device

Regulatory Coverage

0.4 / 1.0

524B Requirements

TM VA SBOM SA PM

Regulatory Gaps

! CVSS partially captures risk; neural dimensions missing
! No FDA pathway for consumer sensor exploitation
! Software-only attack without software lifecycle standard (IEC 62304)

Population Vulnerability

CRB vulnerability adjustment (γ=0.30) accounts for age, diagnosis severity, consent capacity, and device dependency.

Population	NISS Base	Adjusted	Severity	Delta
Adult (Default)	2.0	2.0	Low	-
Child (10yr) + ADHD	2.0	2.4	Low	+0.35
Adult with ALS	2.0	2.3	Low	+0.32

Validation Status

Theoretical / Not yet validated. This technique has not been independently tested. See the validation dashboard for what has been tested.

Qinnovate Neural Security Atlas Edit this on GitHub