OSINT via Bluetooth: how Android devices give away the owner
For reasons unknown to me, Bluetooth is still considered a purely local protocol: file transfer, connection to headsets, operation of a fitness bracelet. In practice, it gives a lot more. With proper processing of advertising packages and service information of Bluetooth devices, it is possible to determine the approximate location, type and model of the device, restore movement routes, and in some cases, identify the owner. All this happens without physical access to a smartphone or wearable devices.
Bluetooth-OSINT is used at the information collection stage, during technical support of events, during investigations and during movement monitoring. It is effective both in urban environments and in confined spaces: at train stations, business centers, hotels, and conference halls.
Android devices remain particularly vulnerable. Even with an inactive connection, they continue to send advertising packets.
Advertising packets in the context of Bluetooth, especially Bluetooth Low Energy (BLE), are special short packets of data that a device periodically transmits over the air to inform other devices about its presence.
These packets do not require a connection — they are transmitted "blindly" and are received by all devices within range. It is thanks to these advertising packages, for example, that headphones appear in the list of available Bluetooth devices on your phone.
Many models transmit the device name in clear text — for example, Pixel 8a Alex or Galaxy S22 Masha. This field often contains the user's name or nickname. Such data can be compared with search results in social networks, leaks, and databases.
Even if the name is hidden, there are still values in the packages that can be used to set the model, chip type, and manufacturer's version. If you collect data about such devices from different points, you can build a graph of movements and identify whether the devices belong to the same user.
What is visible via Bluetooth
– Device name
– Signal strength (RSSI) — allows you to estimate the distance to the source
– Manufacturer-specific data — additional fields specified by the manufacturer
– Advertising UUID — often static for specific models
– Frequency of broadcasting and interaction with services
The combination of smartphone, watch and headset is already a unique set. It is easily tracked by its characteristic behavior on the air.
Why Android makes more noise than other OS
– The MAC address may not be randomized until Bluetooth is manually rebooted
- Built–in BLE Privacy protection is either missing or partially implemented
– Device names are often transmitted in clear text
– System services are running in the background: Nearby, Fast Pair, geolocation, Smart Lock
This creates a permanent presence of the device on the radio. Even without connecting to other devices, the smartphone remains visible.
How to reduce visibility
1. Disable Bluetooth if it is not necessary to operate it
2. Disable background scanning:
Settings → Geolocation → Scan → Bluetooth Scan → Off
3. Change the device name:
Settings → About the phone → Device Name
4. Disable Nearby Share, Fast Pair, Smart Lock and other Bluetooth-enabled services
5. If root access is available, use additional utilities:
– Magisk BLE Privacy Module
– XPrivacyLua
– Bluetooth MAC Spoofer
Tools for analysis
– nRF Connect — displays BLE packets transmitted over the air
- Beacon Scanner / BLE Hero – detection and tracking of surrounding devices
— btmon with ADB – allows you to view HCI logs, including BLE, without root access
- Kismet is a powerful framework for monitoring wireless interfaces (Wi-Fi, BLE)
Even if the device is not connected to anything and is in your pocket, it can transmit this data, depending on the firmware, settings, and model. This creates a digital "fingerprint" on the airwaves.
