Protecting Bluetooth User Privacy Through Obfuscation of Carrier Frequency Offset

This brief presents the analysis, design, and measurement results of an integrated circuit designed to prevent tracking the location of Bluetooth Low Energy (BLE) transmitters. Conventional BLE transmitters have unique RF fingerprints due to variation-induced imperfections in the underlying circuits. Coupled with BLE’s wide adoption in mobile devices and tendency to transmit continuously, BLE has become a significant threat to the location privacy of individual users. The primary source of this privacy threat is that BLE transmitters have a unique Carrier Frequency Offset (CFO) that can be easily fingerprinted by passive adversaries. To combat this, a test chip is developed that pseudo-randomly changes its CFO by switching in a binary-weighted set of semi-identical MIM capacitors into the tank of an $LC$ voltage controlled oscillator, all while maintaining compatibility with BLE standard specifications. Measurement results reveal that privacy preservation can be improved from only a few seconds with a conventional design, to over a day with the proposed design.