> Bluetooth mesh networks—no internet required, no servers, no phone numbers
LLM slop. Both the article and the Python script
That was before everyone had their "John's IPhone" or "Samsung A55" boring names everywhere and some of us cared to personalise our device's name.
Anyone else played this game?
I guess anything you send out can be used to profile you.
Some of my friends live on a farm near a semi busy road, however far enough from other farms to not be able to receive their wifi. They showed me their router logging all the wifi accesspoints that appear/disappear. There where A LOT of access points named "Audi", "BMW", "Tesla" etc. similar to those devices leaking bluetooth data. We had a discussion that it would be easy to determine who was passing by at what times due to these especially when you can "de-anonymize" the data for example link it to a numberplate.
I believe shopping malls often use such signals (wifi, bluetooth) to track what your travel pattern through the mall is. They know what section of the store you spend most of your time in and what storefronts you stall at.
Anyway, the default dashboard also automatically generated a view when my neighbours "Katie's iPhone' was at home and when not, until I actively deleted it and the data it stored.
Even wilder would be to buy data on you in real time and display that.
Is there a simple CLI interface that can be redirected or pipelined into other tools ?
Like a marathon mass-start with 10,000 sometimes 20,000 or more people
How does bluetooth handle that? Or it doesn't?
"[Agency-acronym] Surveillance Van #43/44/etc.."
2006, sat in a job interview. Interviewer says he'll Bluetooth over a file to me - what's by phone's name?
2006, the year that Tool's 10,000 Days had been released, which I was enjoying and, being a bit of an Edge Lord, I'd named my device after a lyric from Vicarious - which, IIRC fit perfectly into the name space and made me very happy:
> ILikeToWatchThingsDie
Excellent. Still got the job though!
It was interesting to see what people named stuff as even back then I figured you could use that metadata for tracking devices...but even more interesting was looking at the Mac address to see the manufacturer and try and find some rare or cool device.
(I actually do plan to install this at my front door, but aimed mainly to detect when a deliver/parcel in on my doorstep, and I don't (yet?) plan on sniffing bluetooth/wifi with it)
https://www.reddit.com/r/homeassistant/comments/1306pcw/home...
Many places do this. The department stores in the mall, target, even grocery stores do it.
In the EU this is forbidden unless they explicitly ask your permission. They can still gather aggregate stats but they cannot build a profile on you.
Bluetooth already has a well developed MAC randomization scheme.
Lookup "resolvable private address". The short of it is, your phone can find your headphones or vice-versa, despite one or both having random addresses. The addresses can be regenerated or rotate at an interval (say 15 minutes). The first part of the address is a nonce (pRand), and the rest of the address is a 24-bit hash of pRand with an identity resolving key (IRK). So the other party just listens passively for addresses, and sees if any of them happen to have the right hash.
I don't think this is as airtight as people think it is. Certainly, if you are following somebody and one address disappears right as another appears (rotation), it's quite easy to infer the new/old addresses belong to one device. I tried briefly to convince the Android developers to synchronize that rotation globally.
You can also probably infer that if you see a pair of random MACs arrive, and they have a certain pattern of timing and payload size, you can say with some certainty that they are particular devices, say an iPhone and an Apple Watch. But that requires sophisticated equipment since most Bluetooth LE communication is over a non-cryptographic frequency hopping arrangement.
Lastly, radio fingerprinting is widely known in academia, but requires special equipment.
That's one of the funniest things about wardriving with Wigle on your phone. I can often see the SSID of "Jennifer's Equinox", "Jacks Suburban" right after I get cut off by someone in said vehicle. The vast majority of car bluetooth/wifi I see tends to have varying amounts of identifying information. It's almost as bad as the fact that apple still defaults to Jacks iPhone/iPad etc with no option to rename the device until you've finished setting it up.
Companies are not out to protect us with default settings and the majority of users need to wake up to this fact.
I used it in train stations, and get hits when passing highways via train or bus. Esp. fun if you stand still due to traffic lights or traffic jam, since you can try to get a visual.
The only lesson to be learned here is that it allowed one to learn in 2019 Musk is overrated. But you can also learn that lesson from the book The PayPal Wars which predates this by 15 years.
> I believe shopping malls often use such signals (wifi, bluetooth) to track what your travel pattern through the mall is. They know what section of the store you spend most of your time in and what storefronts you stall at.
Not allowed in EU.
There is also a Bluetooth shutoff app on F-Droid.
https://f-droid.org/en/packages/com.mystro256.autooffbluetoo...
I have also put an Airtag clone in my car (Loshall in iOS mode). That is probably leaking my arrival times. My water meter is also now bluetooth.
If Bluetooth is used, it may be a way to get a count of passengers or if the passengers change. I know based on newspaper accounts that they are particularly interested in cars that stop in Philly or Baltimore.
This stuff is frequently used against cops too so they may use the tech in similar ways. If you’re someone worried about getting raided, spotting a large number of new signals at the front door is an early warning potentially.
Each person would get a unique fingerprint of named network locations
I can’t really care about obscure Bluetooth tracking when every business has CCTV doing facial recognition.
It can be done, relatively easily.
I'm surprised, I know for a fact that some stores definitely have the ability to do that on their hardware.
You could also read the numberplate directly with OpenALPR. It can be finicky to set up a camera to do this reliably in all conditions (particularly at night and high speed) but once done you could detect any car passing, not just ones with wifi access points.
When the law requires us to have numberplates, I think this just has to be considered public information for anyone who is nearby or can leave a camera nearby. It's not ideal to leak it in additional forms that might be easier for people to grab (say, with an ESP32), but it's a matter of degree rather than of kind.
But yeah, I'm with you on some of these others, particularly the medical devices. That's not great.
Yes, I remember Cisco had a product like this all the way back in 2011. They could pinpoint a customer to an exact position inside a store using triangulation, they would know which shelf you spent time in front of etc. In the 15 years since then, I expect the technology is much scarier and intrusive.
Is that just for the connection phase? Or does it then start publicly broadcasting a persistent MAC onced it's connected, so if you earbuds or watch are connected and communicating with your phoine, would a sniffer see a persisten MAC address or the session randomised one?
That's a problam (one of many problems) with WiFi MAC address randomisation - you can sniff the network names a phone is trying to connect to, then stand up a wifi access point with one of those names and the phone will reveal its real MAC address when it connects. I experimented a long time back with having a raspi that broadcast itself as a McDonalds free wifi access point, a huge number of phones would try to connect while I was out in public with it.
Building Bluehood, a Bluetooth scanner that reveals what information we leak just by having Bluetooth enabled on our devices.
If you’ve read much of this blog, you’ll know I have a thing for privacy. Whether it’s running my blog over Tor, blocking ads network-wide with AdGuard, or keeping secrets out of my dotfiles with Proton Pass, I tend to think carefully about what data I’m exposing and to whom.
Last weekend I built Bluehood, a Bluetooth scanner that tracks nearby devices and analyses their presence patterns. The project was heavily assisted by AI, but the motivation was entirely human: I wanted to understand what information I was leaking just by having Bluetooth enabled.
The timing felt right. A few days ago, researchers at KU Leuven disclosed WhisperPair (CVE-2025-36911), a critical vulnerability affecting hundreds of millions of Bluetooth audio devices. The flaw allows attackers to hijack headphones and earbuds remotely, eavesdrop on conversations, and track locations through Google’s Find Hub network. It’s a stark reminder that Bluetooth isn’t the invisible, harmless signal we treat it as.
We’ve normalised the idea that Bluetooth is always on. Phones, laptops, smartwatches, headphones, cars, and even medical devices constantly broadcast their presence. The standard response to privacy concerns is usually “nothing to hide, nothing to fear.”
But here’s the thing: even if you have nothing to hide, you’re still giving away information you probably don’t intend to.
From my home office, running Bluehood in passive mode (just listening, never connecting), I could detect:
None of this required any special equipment. A Raspberry Pi with a Bluetooth adapter would do the job. So would most laptops.
What concerns me most isn’t that people choose to have Bluetooth enabled. It’s that many devices don’t give users the option to disable it.
Hearing aids are a good example. Modern hearing aids often use Bluetooth Low Energy so audiologists can connect and adjust settings or run diagnostics. Pacemakers and other implanted medical devices sometimes broadcast BLE signals for the same reason. The user can’t simply turn this off.
Then there are vehicles. Delivery vans, police cars, ambulances, logistics fleets, and trains often have Bluetooth-enabled systems for fleet management, diagnostics, or driver assistance. These broadcast continuously, and the drivers have no control over it.
Even consumer devices aren’t always straightforward. Many smartwatches need Bluetooth to function at all. GPS collars for pets require it to communicate with the owner’s phone. Some fitness equipment won’t work without it.
What’s interesting is that some of the most privacy-focused projects actually require Bluetooth to be enabled.
Briar is a peer-to-peer messaging app designed for activists and journalists operating in hostile environments. It doesn’t rely on central servers, and when the internet goes down, it can sync messages via Bluetooth or Wi-Fi mesh networks. It’s a genuinely useful tool for maintaining communications during internet blackouts or in areas with heavy surveillance.
BitChat takes this even further. It’s a decentralised messaging app that operates entirely over Bluetooth mesh networks—no internet required, no servers, no phone numbers. Each device acts as both client and relay, automatically discovering peers and bouncing messages across multiple hops to extend the network’s reach. The project explicitly targets scenarios like protests, natural disasters, and regions with limited or censored connectivity.
Both are genuinely excellent projects solving real problems. But to use them, you need Bluetooth enabled. And every device with Bluetooth enabled is broadcasting its presence to anyone nearby who cares to listen.
This creates a strange tension. Tools designed to protect privacy often require a feature that compromises privacy in other ways.
People often underestimate what patterns reveal. A bad actor with a Bluetooth scanner doesn’t need to know your name. They just need to observe behaviour over time.
Consider what someone could learn by monitoring Bluetooth signals in a residential area for a few weeks:
If there’s damage to your property, you could potentially go back through the logs and see which devices were in range at that time. A smartwatch on a dog-walker passing by. A phone in someone’s pocket. A vehicle with fleet tracking.
These might seem like edge cases, but they illustrate a broader point: we’re constantly leaving digital breadcrumbs we don’t even think about.
Bluehood is a Python application that runs on anything with a Bluetooth adapter. It continuously scans for nearby devices, identifies them by vendor and BLE service UUIDs, and tracks when they appear and disappear.
The key features:
You can run it in Docker or install it directly. It stores data in SQLite and optionally sends push notifications via ntfy.sh when watched devices arrive or leave.
The simplest way to try Bluehood is with Docker:
git clone https://github.com/dannymcc/bluehood.git
cd bluehood
docker compose up -d
The dashboard is available at http://localhost:8080.
If you prefer a manual install:
sudo pacman -S bluez bluez-utils python-pip # Arch
sudo apt install bluez python3-pip # Debian/Ubuntu
pip install -e .
sudo bluehood
Bluetooth scanning needs elevated privileges. You can either run as root, grant capabilities to Python, or use the included systemd service for always-on monitoring.
Bluehood isn’t a hacking tool. It’s an educational demonstration of what’s possible with commodity hardware and a bit of patience.
I built it because I wanted to see for myself what I was broadcasting. The results were sobering. Even with no malicious intent, anyone with basic technical knowledge could learn a lot about my household just by sitting in their car and running a script.
This isn’t about paranoia. It’s about understanding the trade-offs we make when we leave wireless radios enabled on our devices. For some use cases, Bluetooth is essential. For others, it’s just convenience. Being aware of what you’re exposing is the first step to making informed decisions about which category your devices fall into.
If you try Bluehood and it makes you think twice about your own Bluetooth habits, it’s done its job.
The source code is available on GitHub. Feedback and contributions welcome.
Edit: iOS
This is my main concern over installing apps in general but specifically store apps. I've noticed that grocery stores are moving past existing loyalty cards and want you to use their apps for exclusively available digital coupons. The prices I'm seeing are very compelling and are on top of existing loyalty card discounts, and I could see lots of people using the app because of it. The assumed amount of abuse keeps me from lemminging my way through the store.
It was usually an image, movie, or audio file.
I am not without sin when it comes to driving a car.
That's not how mac address randomization works now for both android and ios. Both connects with a randomized mac as well, which might be persistent per-network, but it still heavily hampers data collection. For ios specifically, it also seems to have some sort of heuristic to detect which network names are common/guessable, and use a rotating mac for those. Moreover "you can sniff the network names a phone is trying to connect to" isn't really a thing unless the network is using hidden ssid, which isn't the default for almost all routers.
Ever been in an Apple store? Look up. In the dark voids between the edge-to-edge backlit ceiling. There are secrets there. Watching you.
I have a "store mode" button that just kills wifi/bt that I hit before I go into any store.
i like that a lot, brother, thank you!
I definitely don't approve of mass collection across many cameras, accessible to who-knows-who with minimal if any privacy controls (Flock). But it wouldn't surprise or bother me if my next-door neighbor had ALPR enabled, as long as it's not part of that cloud. YMMV.
Full disclosure: I develop an open source home/hobbyist-oriented NVR, although it doesn't have an ALPR feature or any other analytics today.