Dead on Arrival: An Empirical Study of The Bluetooth 5.1 Positioning System

TL;DR

This study evaluates Bluetooth 5.1's AoA-based positioning accuracy, revealing limitations in angular detection, potential security vulnerabilities, and proposing simple countermeasures to improve system reliability and security.

Contribution

First experimental assessment of Bluetooth 5.1 AoA positioning accuracy, identifying limitations and security issues, and proposing practical remedies for manufacturers.

Findings

Angular detection is limited to a restricted range.

AoA-based positioning can achieve sub-meter accuracy.

Malicious devices can tamper with AoA measurements by packet manipulation.

Abstract

The recently released Bluetooth 5.1 specification introduces fine-grained positioning capabilities in this wireless technology, which is deemed essential to context-/location-based Internet of Things (IoT) applications. In this paper, we evaluate experimentally, for the first time, the accuracy of a positioning system based on the Angle of Arrival (AoA) mechanism adopted by the Bluetooth standard. We first scrutinize the fidelity of angular detection and then assess the feasibility of using angle information from multiple fixed receivers to determine the position of a device. Our results reveal that angular detection is limited to a restricted range. On the other hand, even in a simple deployment with only two antennas per receiver, the AoA-based positioning technique can achieve sub-meter accuracy; yet attaining localization within a few centimeters remains a difficult endeavor. We then demonstrate that a malicious device may be able to easily alter the truthfulness of the measured AoA, by tampering with the packet structure. To counter this protocol weakness, we propose simple remedies that are missing in the standard, but which can be adopted with little effort by manufacturers, to secure the Bluetooth 5.1 positioning system.