WMLinks: Wearable Smart Devices and Mobile Phones Linking through Bluetooth Low Energy (BLE) and WiFi Signals

Abstract

Wearable smart devices have gradually become indispensable devices in people’s lives. Their security and privacy have gained increasing popularity among the public due to their ability to monitor and record various aspects of users’ daily activities and health data. These devices maintain a wireless connection with mobile phones through periodic signal transmissions, which can be intercepted and analyzed by external observers. While these signal packets contain valuable information about the device owner, the identity of the actual user remains unknown. In this study, we propose two approaches to link wearable smart devices with users’ mobile phones, which serve as electronic identities, to enable novel applications such as multi-device authentication and user-device graph construction for targeted advertising. To establish this linkage, we propose two approaches: a passive-sniffing-based linking approach and an active-interference-based linking approach, which solve the problem of sniffing Bluetooth Low Energy broadcast packets in two stages of Bluetooth Low Energy communication. Through experiments conducted across three scenarios, we demonstrate that seven wearable devices can be successfully linked with an accuracy rate exceeding 80%, with accuracy rates approaching 100% when a device is recorded more than 11 times. Additionally, we find that four wearable devices can be linked via an active-interference-based linking approach with an accuracy rate exceeding 70%. Our results highlight the potential of wearable devices and mobile phones as a means of establishing user identities and enabling the development of more sophisticated applications in the field of wearable technology.

1. Introduction

Recently, wearable smart devices (WS devices), including smartwatches, smart bracelets, heart rate belts, and smart glasses, offer a wide range of functions that continue to expand as the field of wearable technology advances [1,2]. According to new data from the International Data Corporation, global shipments of wearable devices in 2024 are poised to reach 559.7 million, growing 10.3% year over year (https://www.idc.com/getdoc.jsp?containerId=prUS51975524 (accessed on 13 August 2024)). To establish a connection between mobile phones and WS devices, periodic signal transmissions are employed, revealing some information about the WS device owner. Even though we can sniff the signals to reveal some information about the WS device, we do not know who the owner of it is. To solve this problem, practical approaches, such as user–device linking [3,4] and device–device linking [5,6], can establish relationships between users and their devices, enabling the creation of a user’s device graph. In this study, we propose novel device–device linking approaches, WMLinks, which leverages the analysis of Bluetooth Low Energy (BLE) and WiFi signals to link WS devices and mobile phones. Since people now usually carry a mobile phone with them, the mobile phone is considered as the user’s electronic identity. By linking these two types of devices, several applications are enabled, including user authentication through WS devices or mobile phones, targeted advertising based on BLE device manufacturer information, and lost WS device recovery by law enforcement agencies.

At present, device–device linking approaches mainly link personal computers and mobile phones [7,8], and there are relatively few methods to directly link mobile phones and some WS devices based on BLE protocols. Some studies have identified WS device software by analyzing mobile phone network traffic [9,10], which can be considered an indirect approach to link mobile phones and WS devices. These approaches require the specific software to generate network traffic, while the network traffic of these software is limited. Therefore, these approaches will fail when the software does not generate network traffic.

Given that users typically carry their mobile phones and WS devices together, the strength of their respective wireless signals changes in a similar trend. Specifically, the WiFi signal of the mobile phone and the BLE signal of the WS device are highly correlated. By comparing the similarity of their respective received signal strength (RSS) changes, we can establish a link between the mobile phone and the WS device. The assumption is that law enforcement agencies can deploy specialized equipment for capturing WiFi and BLE signals. For sniffing WiFi signals, we can deploy a wireless network card under monitor mode and set its sniff channel to be the same as the wireless router. For sniffing BLE signals, there are two types of signals, which include broadcast signals and data signals. Due to the high equipment cost of sniffing data signals, we mainly consider sniffing broadcast signals. For further clarification, the BLE communication between a WS device and a mobile phone is a two-stage process. In the first stage, a WS device sends broadcast signals regularly so that mobile phones can find it. Therefore, we can sniff the broadcast signals directly. In the second stage, a mobile phone finds and connects with a WS device, and then most brands of WS devices stop sending broadcast signals and communicate by data signals, except Apple’s equipment. Therefore, in the second stage of BLE communication, we cannot sniff the broadcast signals directly in most cases.

In this article, we propose two linking approaches for the two stages of BLE communication, which are the passive-sniffing-based linking approach [11] and the active-interference-based linking approach. To establish a link between WS devices and mobile phones using the passive-sniffing-based approach, we deploy equipment for capturing WiFi signals and BLE broadcast signals. To reduce signal noise, we employ a multi-stage filtering method. Subsequently, we use a dynamic time warping (DTW)-based algorithm to analyze the filtered signals and establish a link between the two types of devices. In the active-interference-based linking approach, we employ several sniffing nodes, a jammer, and a surveillance camera to trigger the WS device to resend broadcast packets. We deploy a surveillance camera to estimate users’ location by setting virtual labels. Once the user’s location is within the interference range, we turn on the jammer to interfere with the BLE signals. After a period of time, we turn off the jammer and sniff the WS device’s broadcast signals. Due to the limited number of broadcast signals, we calculate and compare different sniffing nodes’ RSS values to link two types of devices.

To assess the effectiveness of the proposed linking approaches, we conducted experiments involving eight WS devices, including smart bracelets, smartwatches, and oximeters. The experiments are conducted in three different scenarios, namely the playground, indoor hall, and indoor corridor. We find that different WS devices have different frequencies of sending broadcast packets. If the software is not always running on the front end, most WS devices will disconnect from the mobile phones. After two devices are disconnected, the broadcast signals also can be sniffed. In passive-sniffing-based linking experiments, by comparing several movement patterns, we find that the linking performance is optimal when users move back and forth facing the sniffing node, and after the distance between two users is longer than 3 m but within the effective sniffing range, the linking accuracy is higher when the distance is longer. We also find that fewer users and multiple sessions of data recording will result in higher linking accuracy. In active-interference-based linking experiments, we find that four WS devices can have interference to link with mobile phones effectively. Compared with a bracelet and a watch, the linking accuracy of an oximeter is higher.

To summarize, our paper makes the following contributions:

• Firstly, we propose novel approaches to link WS devices and mobile phones through sniffing BLE and WiFi signals, which do not require any active participation from the users. To the best of our knowledge, this is the first study to propose such approaches.
• Secondly, the two approaches, i.e., the passive-sniffing-based linking approach and the active-interference-based linking approach, can deal with two stages of BLE communication with cheap sniffing devices.
• Thirdly, we evaluate the accuracy and limitations of WMLinks through real-world experimentations. We analyze how factors such as the moving patterns of users, the number of users, the distance of users, and the types of devices that affect linking accuracy.

The sections of our paper are as follows. We introduce the process of BLE communication in Section 2. In Section 3, we present our two linking approaches. Section 4 shows the experimental results of our approaches, which is followed by discussing limitations and future research directions in Section 5. The existing related work is introduced in Section 6, and a conclusion is drawn in Section 7.

2. Background

This section presents the background knowledge of WiFi signals and BLE signals, along with the technique to sniff these signals.

2.1. WiFi Signals

WiFi signals facilitate the transmission of network traffic between wireless routers and smartphones. In contemporary times, wireless routers usually operate on two frequency bands: 2.4 GHz and 5 GHz. The 2.4 GHz frequency band incorporates 13 channels that range from 2.412 GHz to 2.472 GHz, while the 5 GHz frequency band comprises numerous working channels whose total varies across countries. The WiFi channel depends on the routers’ operating change; when the WiFi channel is set on the same channel as the sniffer can enable the latter to intercept WiFi signals. To investigate the factors that affect the performance of sniffing, Li et al. [12] present experiments under different wireless environments using off-the-shelf products; they find that the number of access points and their corresponding operating channels, the signal strength of the access point, and the number of devices in the vicinity are four main factors affecting the sniffing performance. Pietraru et al. [13] employ WiFi signal sniffing to build a system to count people in a room, which helps to ensure social distance in the classrooms and laboratory of a university campus.

2.2. BLE Signals

BLE signals are utilized to transfer BLE packets between mobile phones and WS devices. In the BLE connection establishment, WS devices first broadcast packets on three channels in a particular sequence. Subsequently, mobile phones scan each broadcast channel periodically and receive the broadcast packets of WS devices when the scanning channel matches the channel of broadcast packets. After negotiating certain parameters on the broadcast channel, both types of devices communicate via 37 data channels by frequency hopping in an unpredictable order. Although there are some expensive devices such as Frontline Sodera (https://www.fte.com/products/sodera.aspx (accessed on 13 August 2024)) that can sniff the 37 data channels, we commonly utilize cheaper devices such as Ubertooth-one and Nordic nRF51 Dongle to sniff broadcast signals. However, most WS devices discontinue broadcasting signals once they connect with mobile phones. To address this problem, we use a jammer to transmit noise signals that interfere with BLE communication. After a while, WS devices lose their connection with mobile phones and then send broadcast signals again. Then we can sniff the broadcast signals before the two devices reconnect.

3. Methodology

As mentioned before, there are two stages in BLE broadcast signal sniffing; the first is when BLE broadcast signals can be sniffed directly, and in the second stage, they cannot be sniffed directly. In this section, we introduce two different approaches, i.e., the passive-sniffing-based linking approach and the active-interference-based linking approach, for the two stages.

3.1. Passive-Sniffing-Based Linking Approach

In the first stage of BLE communication, it is assumed that users are moving, carrying mobile phones and WS devices, where the former transmit network traffic via WiFi and the latter send BLE broadcast signals. The environment is equipped with sniffing devices that are capable of capturing both WiFi and BLE signals. Since signal strengths of these two types of signals change with the distance of their propagation, according to reference [14], they both conform to the Equation (1), which allows for the comparison of the similarity of their respective RSS.

$$P\left(d\right)=P\left(d_0\right)-10nlog\left({\displaystyle \frac{d}{d_0}}\right)+ϵ$$

(1)

Within the context of wireless signal propagation, the signal strength of transmitted and received points is denoted by $P\left(d\right)$, where d is the distance between the two points. The reference range is $d_0=1$ m, and the path loss index n is related to the environment. The stochastic error term is represented by $ϵ$. As the equation illustrates, in a specific environment, signal strength $P\left(d\right)$ and distance d have a linear relationship. Given this relationship, we can discern different device pairs based on the similar signal strength changes resulting from a user moving with two different types of devices.

The proposed passive-sniffing-based linking approach workflow is illustrated in Figure 1. The approach involves three primary steps. Firstly, sniffing devices are deployed in accordance with the device attributes and the surrounding environment to capture both WiFi and BLE signals. Secondly, signal strengths are extracted from the collected signal packets, and a multi-stage filtering method is employed to mitigate signal noise. Thirdly, the DTW algorithm is utilized to assess the similarity between the two types of devices. Subsequently, the similarities of various devices are compared to obtain linking outcomes.

3.1.1. Sniffing WiFi Signal and BLE Signal

In order to capture both WiFi and BLE signals, the appropriate placement of sniffing devices is crucial. To ensure a consistent trend of signal strength change for both signal types, we deploy two types of sniffing devices in close proximity. As environmental interferences can affect the accuracy of signal collection, the sniffing devices are placed at an elevated position. This 3D deployment problem can be simplified into a 2D plane coverage problem, considering the scene area and effective sniffing range. As the effective sniffing range varies depending on the environment, it is necessary to test and determine the range in which the signal strength change complies with Formula (1). Furthermore, we discovered that the sniffing devices should be positioned along the path of user movement to enhance the changes in signal strength.

Following the deployment of sniffing devices, the WiFi signals of mobile devices and the BLE signals of WS devices are sniffed using two distinct types of devices. For WiFi signal sniffing, a MacBook is utilized. In the MacBook, there is a built-in network sniffing function that can sniff a specific WiFi channel [15]. Additionally, as devices may not keep transmitting WiFi signals, ping probes are sent on the network to ensure devices generate answer packets [4]. For BLE broadcast signal sniffing, Nordic nRF51 Dongle is employed. The installation of a Wireshark with a plugin [16] enables the sniffing of BLE broadcast signals. Throughout this step, the sniffed signals are saved as pcap files for subsequent analysis.

3.1.2. Processing Signals Based on Multi-Stage Filtering

In this step, we extract the RSS lists of different devices from the sniffed pcap files, which are then processed by a multi-stage filtering strategy. For WiFi signal packets, we first parse the IP packet headers to retrieve the IP addresses and classify the devices accordingly. We then analyze the radiotap headers and pcap headers to obtain the RSS values and timestamps. Similarly, for BLE broadcast signal packets, we analyze the btle packet headers to extract the devices’ broadcast addresses and classify the devices based on these addresses. Then, we parse the ble packet headers and pcap headers to obtain the corresponding RSS values and timestamps. The packet headers of both types of signal packets can be observed in Figure 2.

Upon obtaining the RSS lists of different devices, we observed that the RSS values are susceptible to environmental influences and user movement, leading to the presence of jitter and impulsive noises as illustrated in Figure 3a. In order to reduce such noises, we evaluated several filtering methods, namely arithmetic average filtering, median value average filtering, weighted recursive average filtering, amplitude limiting and damping filtering, and low-pass filtering. Among these methods, we propose a multi-stage filtering method that comprises low-pass filtering and arithmetic average filtering. Specifically, we employ the Butterworth filter as the low pass filter to eliminate jitter noises, with a cut-off frequency of 0.3, as in [17]. However, impulsive noises still remain in the filtered RSS lists. Thus, we employ arithmetic average filtering with a parameter of 2 to calculate the average value of two consecutive RSS values. The resulting filtered RSS values are depicted in Figure 3b.

3.1.3. Linking Devices Based on DTW

To establish a link between mobile phones and WS devices, we present a DTW-based algorithm that quantifies the similarity of RSS variations in WiFi and BLE signals. Originally developed for speech recognition, the DTW algorithm leverages dynamic programming to address the challenge of template matching for time sequences with variable lengths. In our context, the RSS values of both signal types constitute time sequences. Since the sampling rates of different devices are distinct, the RSS lists are of unequal length, rendering the DTW algorithm an appropriate choice.

To ensure accurate results in the calculation process, it is necessary to account for deviations caused by varying signal sampling rates and initial RSS values. Thus, prior to the implementation of the DTW algorithm, we perform a resampling and decentralization of the RSS values. Our proposed linking algorithm is designed for a scenario where there are n users, each with a mobile phone ($m_i$) and a corresponding WS device ($w_j$). To link each mobile phone with its associated WS device, we compare the RSS value list of $m_i$ (i.e., $RS{S}_i^m$) with the RSS value lists of all available WS devices ($w_j$, where $j\in [1,n]$) to determine which WS device is most similar to the mobile phone. Our algorithm determines the DTW distance of the RSS value lists of two devices and selects the WS device with the smallest DTW distance as the linked device. Specifically, the smaller the DTW distance between two devices, the more similar the two devices are considered. The detailed algorithmic steps are presented in Algorithm 1.

In this algorithm, for each $m_i$ in the mobile device set M, we choose two WS devices $w_j$ and $w_k$ of the WS device set W randomly. Then, we compare the signal sequence length of $w_j$ and $w_k$; if $|RS{S}_j^w|\ge |RS{S}_k^w|$, we calculate the sampling rate as equal to $|RS{S}_k^w|/|RS{S}_j^w|$. Next step, we randomly sample sequence $RS{S}_j^w$ with the sampling rate of $|RS{S}_k^w|/|RS{S}_j^w|$. For each sequence sampled $RS{S}_j^w\_sample$, we calculate the DTW distance between it and $RS{S}_i^m$ denoting as $result1\_temp$. In addition, we normalize the RSS values by subtracting the mean value of the RSS sequence from each value during the DTW calculation, thereby reducing the DTW distance calculation errors due to disparate RSS initial values of different devices. After 1000 random samplings, we calculate the average of $result1\_temp$ as $result1$, which is the DTW distance of $w_j$ and $m_i$. The $result2$ equals the DTW distance of $w_k$ and $m_i$. If $|RS{S}_j^w|<|RS{S}_k^w|$, the sampling rate equals $|RS{S}_j^w|/|RS{S}_k^w|$, and steps 5–15 are repeated to sample the sequence $RS{S}_k^w$. Then, we compare the $result1$ and $result2$ and select the device with a smaller DTW value as a result($w_j,w_k$). Since there are $C(n,2)$ cases when any two devices $w_j$ and $w_k$ are selected from WS device set W, we choose the majority $w_x$ in the $C(n,2)$ results as the final pairing result. Furthermore, since WS devices emit broadcast signals at varying frequencies, we opt for pairwise sequence sampling to compare them, which can effectively mitigate the distortion introduced by sampling at the lowest frequency across all sequences.

Algorithm 1 DTW-Based Linking Algorithm

Input: The filtered RSS lists of two types of devices Output: The linked device pairs   1: for each $m_i$ in M do   2:    for any two WS devices $(w_j,w_k)$ in W do   3:      if $|RS{S}_j^w|\ge |RS{S}_k^w|$ then   4:         $rate$=$|RS{S}_k^w|/|RS{S}_j^w|$   5:         for $i=0;i<1000;i++$ do   6:           for each $RSS$ in $RS{S}_j^w$ do   7:              if random(0,1)<$rate$ then   8:                add $RSS$ into $RS{S}_j^w\_sample$   9:              else 10:                continue 11:              end if 12:           end for 13:           $result1\_temp$ = DTW($RS{S}_j^w\_sample,RS{S}_i^m$) 14:           $result1\_sum$ = $result1\_sum+result1\_temp$ 15:         end for 16:         $result1$=$result1\_sum/1000$ 17:         $result2$=DTW($RS{S}_k^w,RS{S}_i^m$) 18:      else 19:         $|RS{S}_j^w|<|RS{S}_k^w|$ 20:         $rate$=$|RS{S}_j^w|/|RS{S}_k^w|$ 21:         replace sampling list with $RS{S}_k^w$, repeat steps 5–15 22:         $result1$ = DTW($RS{S}_j^w,RS{S}_i^m$) 23:         $result2=result2\_sum/1000$ 24:      end if 25:      if $result1<result2$ then 26:         result($w_j,w_k$) = $w_j$ 27:      else 28:         result($w_j,w_k$) = $w_k$ 29:      end if 30:    end for 31:    $\forall (w_j,w_k)$ in W, there are $C(n,2)$ cases 32:    so there are $C(n,2)$ results of result($w_j,w_k$) 33:    choose majority $w_x$ as the final result 34:    we get one device pair$(m_i,w_x)$ 35: end for 36: return device pairs

3.2. Active-Interference-Based Linking Approach

In this scenario, the assumption is that the WS devices have established a connection with the mobile phones, and thus the BLE broadcast packets cannot be directly sniffed. To address this issue, we propose the use of a jammer to interfere with the BLE communication, which triggers the WS devices to send out the BLE broadcast packets to reconnect the mobile phone. The active-interference-based linking approach comprises two periods, as depicted in Figure 4. In the first period, a setup consisting of several sniffing devices, a camera, and a jammer is deployed in the environment. The camera is used to detect users and to estimate their positions by setting virtual marks. In the second period, when the target user is within the effective interference range, the jammer and sniffing devices are activated. The jammer is turned off and signals are sniffed when the interference time length is longer than the threshold $T_{shield}$ and there are no other users within a distance of $d_u$ around the target user. Finally, the RSS values sniffed by the multiple sniffing devices are combined to link the two types of devices.

3.2.1. Virtual-Mark-Based User Position Estimation

In the position estimation period, we first deploy devices, including sniffing devices, one camera, and one jammer. In this scenario, the deployment of sniffing devices is shown in Figure 5; three sniffing devices are placed along the side of the building, and there are $d_p$ m between these devices. Here, we set $d_p=3$, which will be derived by our statistical analysis in Section 4. The camera can be a network camera or a surveillance camera; it is placed at one end of the building (e.g., the end of the corridor). The jammer is placed on the opposite side of sniffing node 2 and about 3 m away.

After deploying devices, we employ the SSD (Single-Shot MultiBox Detector) algorithm [18] to detect users. SSD is a kind of object detection algorithm based on deep learning; compared with traditional object detection algorithms, it has the advantages of fast detection speed and high accuracy. We utilize the pedestrian detection model from the website pyimagesearch (https://pyimagesearch.com/ (accessed on 13 August 2024)), which has a good detection performance. During the detection, we utilize the API of OpenCV to open the camera to capture images. Then, we resize the image to $300\times 300$ to fit the detection of the SSD model. Once a pedestrian is detected, he will be marked by a box, and the pixel coordinates of the box’s four corners will be output. At last, we calculate the midpoint coordinates of the box’s bottom two corners as the pixel coordinates of the pedestrian.

Next, we set virtual marks in our scenario to assist in locating the pedestrian position. The function of virtual marks is to establish the relationship between actual coordinates and pixel coordinates. Let us take an interior corridor as an example, which is shown in Figure 6, where the red points are the virtual marks. In the scenario of the corridor, we divide the flow into a grid map with a side length 1 m, and then mark the pixel coordinates of the grid vertices as the initial virtual marks. Due to the camera shooting angle and perspective, the square of the actual space will appear as a normal quadrilateral. We cannot simply locate a pedestrian by his pixel coordinates. In this paper, we design a location method as follows.

There are two steps in the method; in the first step, we look for four virtual marks around the pedestrian, and in the second step, we calculate the actual coordinates according to the four surrounding virtual marks. To look for the surrounding virtual marks, we set the center virtual mark as the search starting point. As shown in Figure 7, we calculate the Euclidean distances between the pixel coordinates of the pedestrian and nine virtual marks, which include the center and the eight surrounding virtual marks. Then, we choose the nearest virtual mark as the next search starting point. We repeat the above search process until the search starting point is the nearest virtual mark. In Figure 7, we find that Point B is the nearest virtual mark. The black arrows show the search process and the red arrows show the search results.

After locating the nearest point, we connect the point to the pixel coordinates of pedestrian and calculate the angle between this line and the quadrilateral side. We also calculate the angle between two sides of the quadrilateral, which can be precomputed for storage. By comparing the two angles, we can locate which quadrilateral the user’s pixel coordinates fall within. As shown in Figure 8, pixel coordinates of the pedestrian, i.e., the red point $(x_0,y_0)$ fall in quadrilateral $ABCD$. Next, we compute the slops of line $AB$ and line $CD$ and use the average of the two slopes to cross $(x_0,y_0)$ as an auxiliary line to intersect $BC$ and $AD$ at $(x_2,y_2)$ and $(x_4,y_4)$. As the same, we compute the slopes of line $BC$ and line $AD$ and use the average of the two slopes to cross $(x_0,y_0)$ as an auxiliary line to intersect $AB$ and $CD$ at $(x_1,y_1)$ and $(x_3,y_3)$. We set the actual coordinates of point A as $(X_A,Y_A)$, where the actual length of square side is L, and then we can obtain the actual coordinates of pedestrian which equals $(X_A+L{\displaystyle \frac{x_0-x_1}{x_3-x_1}},Y_A+L{\displaystyle \frac{y_0-y_4}{y_2-y_4}})$. After obtaining the actual coordinates of the pedestrian, we can further calculate the Euclidean distance between pedestrians.

3.2.2. BLE Signal Interference-Based Device  Linking

In the device-linking period, we employ a jammer to interfere with BLE communication, which can trigger the BLE broadcast packets to be re-sent. As we know, after establishing BLE communication between two devices, they work on data channels. To prevent communication interruption, the mobile phone sets a timeout parameter in the request packets of establishing a connection. This means that, if the mobile phone does not receive the data packets from the WS device for longer than timeout seconds, the mobile phone stops sending request packets; in other words, the connection is lost between the two devices. Therefore, when the jammer interferes in the 2.4 GHz frequency band, it causes the mobile phone to no longer receive data packets from the WS devices. After timeout seconds, the connection is lost. Then, we stop interfering with the BLE communication, the WS device sends out broadcast packets so as to reconnect with the mobile phone. As a result, we can sniff the broadcast packets. In this step, we employ a jammer that operates on 2400–2485 MHz and 5725–5850 MHz, and it covers the BLE frequency 2400–2483.5 MHz. To effectively interpret the BLE communication, we test each device’s timeout parameter and set the jammer’s interference time threshold $T_{shield}$ (set as 8.5 s, as we will discuss it in Section 4).

The detailed process of interruption is as follows. When the surveillance camera detects that the user is within range $d_s$ of the jammer ($d_s$ is set as 9 m, as we will discuss it in Section 4), we turn on the jammer, which is shown in Figure 9. Meanwhile, we turn on the sniffer devices to prepare sniffing. After the interference time $T_{shield}$, and when the distance between the target user and other users is greater than $d_u$, we turn off the jammer, which is shown in Figure 10. At this time, sniffing devices collect the two types of signals saved in pcap files.

After sniffing, we abstract the signal strengths of two types of devices and combine them with the information of sniffing nodes and users’ positions to link devices. We find that only a few seconds later, the BLE devices can reconnect with mobile phones. As a result, the number of broadcast packets that can be sniffed is limited. If we also employ DTW to calculate the similarity of signal variation, we will obtain bad results. To solve this problem, we propose a new method that is based on different sniffing nodes with the sniffing of different signal strengths. Here, we choose three continuous sniffing nodes as an example to introduce our approach. As shown in Figure 9, there are three sniffing nodes on a line, and the distance between each pair is $d_p$. The midlines between each pair of nodes are marked by a dotted line, which divides the space into three areas (i.e., A, B, and C). We suppose a pedestrian is standing within the range of area B, and the distances between him and other pedestrians are greater than $d_u$, in which case the jammer will be turned off. As a result, the comparison of the corresponding RSS values collected by the three sniffing nodes is shown in

Table 1. Different relationships of sniffed RSS values when the user is located within different areas.

User Area	The Relationship of RSS Values Sniffed by Three Nodes
A	$RS{S}_1>RS{S}_2>RS{S}_3$
B	$RS{S}_2>RS{S}_1$ and $RS{S}_2>RS{S}_3$
C	$RS{S}_3>RS{S}_2>RS{S}_1$

. $RS{S}_1$, $RS{S}_2$, and $RS{S}_3$ represent the RSS mean values of node 1, 2, and 3 sniffed. When the target pedestrian is located within area B, the relationship between the RSS values of his equipment sniffed by the three nodes is different from that of the users in the A and C areas. Therefore, we can link the user and the mobile phone based on this rule. In addition, if we set more than three sniffing nodes, we can cover larger areas.

Based on the above rules, our active linking algorithm is shown as follows. First, after the jammer is turned off, we extract the RSS values and timestamps of two types of devices for three seconds. Second, we calculate the RSS mean of two types of devices. Third, in order to filter out the impulsive noise, we employ the RSS mean value of the second step as the initial value to perform limit range filtering. Empirically, we set the limit range as 10. Fourth, we calculate the RSS mean value again as the final result after limit range filtering. Fifth, to find the device whose RSS values of three nodes meet the relationship of area B, we link the device and the pedestrian.

4. Evaluation

In this section, we outline the experimental settings employed in our study. Subsequently, we gather and analyze the broadcast packets of WS devices. Finally, we design a set of diverse experiments to demonstrate the efficacy of our two proposed approaches. Furthermore, we conduct a comparative analysis of the outcomes with prior related work.

4.1. Experimental Setup

In this section, we present the experimental settings and procedures used in our study. We conducted our experiments in three different scenarios, namely an outdoor empty playground (20 m × 20 m), an indoor corridor (2.36 m × 50 m), and an indoor hall (10.83 m × 7.35 m). To emulate the real-world setting, we invite five participants to carry both mobile phones and eight different types of WS devices, including smart bands, smart watches, and smart oximeters. To sniff the WiFi signals, we utilize MacBooks with wireless signal sniffing capability, whereas for BLE signals, we employ a Windows laptop with a Nordic nRF51 Dongle (Nordic Semiconductor ASA, Trondheim, Norway). In the active-interference-based experiments, we also employ jammer W2, which is produced by Shenzhen Chepuan Technology (Shenzhen, China), that operates at 2400–2485 MHz and 5725–5850 MHz, along with a Logitech camera C920 (Logitech, Hangzhou, China). Furthermore, we ensure the synchronization of time on all computers using NTP and set up a wireless AP (TPLink AC1200) (Pulian Technology Co., Ltd., Shenzhen, China) to provide a network connection. We fixed the channel for easy sniffing and installed pingtools software to generate WiFi signals continuously by sending out 10 ping packets per second. We design different experiments to collect and analyze the broadcast packets of WS devices and compare our results with the related work to demonstrate the effectiveness of our two approaches.

4.2. Experimental Results

There are three parts in this section. First, we performed experiments to determine our parameters of linking approaches. Second, we captured the broadcast packets of WS devices to analyze their characteristics. Third, we designed three types of experiments to test two linking approaches, which included passive-sniffing-based indoor linking, outdoor linking, and active-interference-based indoor linking. In these experiments, we mainly discuss the factors that affect the linking effect, such as device type, number of users, and user movement mode.

4.2.1. Parameters Determination

In our linking approaches, there were several parameters to determine. We needed to evaluate the effective sniffing range of our sniffing devices in passive-sniffing-based experiments. The active-interference-based experiments included the distance of sniffing nodes $d_p$, the distance threshold between users $d_u$, the interference range of the jammer $d_s$, and the time length threshold of interference $T_{shield}$.

Effective sniffing range. To conduct the linking experiments, we needed to assess the effective range of our sniffing devices. For the outdoor scenario, we performed two types of tests, as illustrated in Figure 11, and the red dot represents the sniffing node. In Figure 11a, we directed users to move back and forth at different distances $d_1$ (5, 10, 15, 20 m) from the red node, which represents the sniffing node. In Figure 11b, the users moved back and forth at different horizontal distances $d_2$ (2, 3, 4, 5, 6, 7 m). In the indoor scenario, we let users move, as illustrated in Figure 11a, due to the limited width of the corridor. Afterward, we sniffed two types of signals and recorded the signal strength, with the aim of verifying whether the signal strength variation range and trend align with the Formula (1).

Following the experiments conducted in the outdoor scenario, we observed that the signal strength changes were unstable when $d_1$ was within 5 m in set (a), while the signal strength was weak and the change was not significant when $d_1$ was longer than 15 m. In set (b), the signal strength varied chaotically when $d_2$ was longer than 4 m, and the variation trend was inconsistent with Formula (1). Therefore, we concluded that the effective range of our sniffing devices in the outdoor scenario is within 4 m of horizontal distance, and the distance range was between 5 to 15 m. Similarly, in the indoor scenario, we found that the effective range was within 15 m.

Interference range of the jammer and time length threshold of interference. In the indoor scenario, we tested the interference range of the jammer and set the time length of interference. We found that the effect of interference was different for different WS devices. In our experiments, we first connected the WS device with the mobile phone; then, we interfered with the BLE communication at different distances. In order to ensure the effect of interference, we set the interference time to 10 s. After seeking out the effective range, we let the user walk toward the jammer from the effective interference distance while carrying two types of devices and record the time it took to disconnect the connection. In addition, in order to record the time length, we developed an Android app to install on the mobile phone. This app continuously listens to two broadcast constants ACTION_ACL_DISCONNECTED and ACTION_ACL_CONNECTED of class BluetoothDevice, so as to obtain the BLE connection status. After statistical analysis, the effective interference range and time length of interference are shown in

Table 2. Interference statistics of eight types of WS devices.

WS Device	Effective Interference Range (m)	Interference Time Range (s)	Average Interference Time
Mi 5 band (Xiaomi Corporation, Beijing, China)	9	[7, 10]	8.5
Huawei 4 band (Huawei Technologies Co., Ltd., Shenzhen, China)	12	[6, 11]	8.1
Garmin band (Garmin Corp., Olathe, KS, USA)	16	[5, 7]	5.9
ADZ band (Shenzhen Tanyou technology Co., Ltd., Shenzhen, China)	19	[5, 7]	6.1
Mi watch color (Xiaomi Corporation, Beijing, China)	12	[5, 11]	8
Garmin watch (Garmin Corp., Olathe, KS, USA)	12	[5, 10]	7.5
Konsung oximeter (Jiangsu Kangshang Medical Technology Co., Ltd., Danyang, China)	30	[5, 7]	5.9
Viatom oximeter (Shenzhen Viatom technology Co., Ltd., Shenzhen, China)	30	[5, 8]	6.1

. From the table, we can see that the effective interference range was different for different WS devices, and the interference time was also different. In our experiments, we set the $d_s=9$ m and $T_{shield}=8.5$ s, which meet the interference requirements of most WS devices.

In order to distinguish different users by consecutive sniffing nodes’ RSS values, we set them apart by $d_p$. Therefore, $d_p$ equals the distance threshold between users $d_u$. In order to test $d_p$, we designed experiments to ask two users to carry the same WS device (Huawei 4 band) and mobile phone (Huawei mate 20); one user of them carried two types of devices close to the sniffing node, and the other user gradually increased in distance from the first user. Then, we connected the WS device to the mobile phone and sniff the RSS values after the interference. We collected the signal strength when two users were 1, 3, and 5 m apart, and each experiment was repeated five times. In data statistics, due to the phenomenon of some jumps in the signal, the data are limit-filtered, and the threshold is set to 10; that is, when the difference between adjacent two RSS values is bigger than 10, the last data are used to replace the current data. Considering that the number of signals that can be obtained after interference is limited, 10 RSS values were selected for a single test to calculate the average value. Finally, the results of the five experiments were averaged, and the statistical results are shown in Figure 12. It can be seen from the figure that when the user was 1 m away, the RSS values of the two types of devices were not much different, and it is almost impossible to distinguish them. When the distance was greater than 3 m, the difference between the two RSS values was greater. Therefore, we set the user distance threshold $d_p=3$, that is, $d_u=3$.

In particular, the various parameters in this paper are related to various factors, such as scenarios, users, and the performance of various devices. Therefore, in different environments, these parameter thresholds will change accordingly. In practical applications, it is necessary to conduct test experiments in advance according to corresponding scenarios, so as to determine the corresponding parameter thresholds.

4.2.2. Characteristics of WS Devices’ Broadcast Packets

In this series of experiments, we commenced by conducting a minute-long sniffing activity on the broadcast signals of WS devices to ascertain their frequencies. Subsequently, we proceeded to sniff broadcast packets hourly to ascertain whether their MAC addresses were randomized and to test if they disconnected within one hour after connection to mobile phones. Following the statistical analysis of the data collected, we present the characteristics of WS devices’ broadcast packets in

Table 3. Characteristics of WS devices’ broadcast packets.

WS Device	MAC Address	Frequency (Per s)	Connection Status in One Hour
Mi 5 band	fixed	1.75	disconnect
Huawei 4 band	fixed	2.07	connect
Garmin band	fixed	18.97	disconnect
ADZ band	fixed	3.80	connect
Mi watch color	fixed	10.25	connect
Garmin watch	fixed	24.85	connect
Konsung oximeter	fixed	45.70	connect
Viatom oximeter	fixed	3.42	connect

. As evidenced by this table, eight WS devices did not randomize their MAC addresses and exhibited varied frequencies of broadcast packet transmission, with the table reporting the corresponding averages. Our findings also reveal that the Mi 5 band and Garmin band will disconnect after connection to mobile phones for some time, while all WS devices disconnect from the mobile phone when their background software is cleaned up. As a result, our experiments demonstrate that in many instances, sniffing the broadcast packets of WS devices is feasible.

4.2.3. Linking Results

We define the formula of linking accuracy to evaluate our linking results:

$$Accuracy={\displaystyle \frac{N_a}{N_{pairs}}}$$

(2)

In this formula, $N_a$ represents the number of correct linking device pairs, and $N_{pairs}$ means the number of all linking device pairs.

Passive-Sniffing-Based Indoor Linking

Linking in the indoor hall: In this scenario, we performed two sets of experiments to test the linking effect of different WS devices and the linking effect of different moving trajectories. In the first set of experiments, we asked two users to carry a mobile phone and different WS devices and walk a distance of about 9 m; the moving trajectories are shown in Figure 13(1A). Users walked once as a set of data, and we collected 10 sets of data for each experiment, where $N_{pairs}=10$. The linking results are shown in

Table 4. Linking performance of 8 WS devices.

WS Device	Accuracy	WS Device	Accuracy
Mi 5 band	90%	Huawei 4 band	100%
ADZ band	80%	Viatom oximeter	90%
Garmin band	80%	Mi watch color	80%
Konsung oximeter	90%	Garmin watch	50%

. From this table, we can see that most WS devices can achieve a high linking accuracy, except for the Garmin watch. In particular, the Huawei 4 band achieves 100% linking accuracy. In addition, we compared two WS devices according to their similar broadcast packets sending frequency; that is, the WS devices in each row of the table are compared as a group to avoid large broadcast packets sending frequency differences.

In the second set of experiments, we employed Mi 5 band and Huawei 4 band to test the linking accuracy of two users moving in different trajectories. The moving trajectories are shown in Figure 13(1A–1C). In 1D, we added one user carrying the Mi 5 band to test the linking accuracy of three users. For each moving trajectory, we tested it 10 times, and $N_{pairs}$ equals 20, 20, 20, and 30. The linking results are shown in

Table 5. Linking performance of different moving trajectories.

Moving Type	1A	1B	1C	1D
Accuracy	90%	60%	60%	66.7%

. If we randomly guess the results, the accuracies are 50%, 50%, 50%, and 33%. From the results, we can see that moving trajectory 1A achieved the best linking performance because this moving trajectory made the signal strength change rate larger, which made it easier to link.

Linking in the indoor corridor: In this indoor scenario, due to the constraint of the corridor width, the users’ moving trajectory was limited, and thus, we focused on their movement in the same and opposite directions. Given the similarity between the same direction experiment in the corridor and that in the outdoor hall (Experiment 1A), we did not repeat the former. In the experiments in the same direction, the sniffing node was positioned on one side of the corridor, and the users carried two types of devices and moved in the same or opposite directions. Specifically, for the experiment in the same direction, each user wore a Huawei 4 band, and we carried out six sets of tests in which users moved 10 times. The two users moved in the same direction at a distance of 0, 1, 2, 3, 4, and 5 m, respectively. The linking results are shown in

Table 6. Results of users moving in the same direction.

Distance	0	1	2	3	4	5
Accuracy	70%	65%	75%	65%	85%	95%

, from which we can observe that the accuracy is greater than 85% when the users’ distance is longer than 3 m.

Passive-Sniffing-Based Outdoor Linking

Linking in outdoor playground: In the outdoor setting, we evaluated the efficacy of our approach in the presence of multiple users moving simultaneously. Our experimental design, depicted in Figure 14, included four moving models, where the red point represents the location of the sniffing node and the arrows represent the trajectories of the users. The 2D triangle represents a static user. In each moving model, users walked 10 m, and we collected 20 sets of data. We present the resulting linking accuracies in

Table 7. Results of users moving in an outdoor scenario.

Moving Model	2A	2B	2C	2D
Accuracy	75%	68.75%	61%	63.75%

. Notably, if we randomly guess the results, the accuracies are 33.3%, 25%, 20%, and 25%. As shown in the table, the accuracy is higher with fewer users. Furthermore, mobile users create more interference than stationary users, as evidenced by the comparison of models 2C and 2D. It is worth mentioning that one user can be observed multiple times, and we consolidated the user’s multiple sets of data. Our results indicate that as the number of observations increases, the user’s linking accuracy rate also increases. When the user appears more than twice, the linking accuracy rate exceeds 80%. After 12 observations, the accuracy rate approaches 100%.

Active-Interference-Based Indoor Linking

In this set of experiments, there were two parts: one was to test the effect of user detection and location estimation, and the other was to test the effect of devices linking after interference.

User detection and location estimation: This process was mainly divided into two steps: the first step is to detect the user when he was within the interference range, i.e., $d_s=9$, in which case we turned on the jammer; the second step was to turn off the jammer after the target user was more than 3 m away from other users, i.e., $d_u\ge 3$. We first tested the user detection and location estimation in the first step. After 10 experiments, when the user was near the interference range, the user detection could be realized, and the location estimation error range was within 1 m, which meets the following experimental requirements. In the second step, when the user was in area B in Figure 10, the distance between the user and the camera was about 2 to 5 m. We asked the two users to be within 2 to 5 m apart and estimate the distance. A total of 30 sets of data were collected. After statistical analysis, we found that the resulting error range of user distance was within 0.3 m, which also meets the experimental requirements. Therefore, user detection and location estimation meet the requirements of subsequent jamming experiments.

Device linking after interference: For the linking based on active signal interference, we invited three users in the experiments to move from a distance to the interference area according to the interference process. When the linking target user moved to Area B in Figure 10, the other two users acted as disruptors who stood in Area A and Area C, respectively, and then, we stopped the interference for signal sniffing. Among them, the target user carried four types of equipment, and the other two users carried Huawei Band 4. Each type of equipment was tested 10 times, and the linking success rates are shown in

Table 8. Results of active-interference-based indoor linking.

WS Device	Huawei 4 Band	Mi Watch Color	Konsung Oximeter	Viatom Oximeter
Success rate	70%	70%	90%	80%

. It can be deduced that 77.5% of the experiments could be successfully linked. From the perspective of the equipment type, compared with bracelets and watches, the linking effect of the two types of oximeters is better. We believe that there are two reasons for this. On the one hand, the jammer has a higher success rate of jamming them, and on the other hand, the signal strength of the broadcast messages sent by these two types of devices is relatively stable. It should be noted that in this experiment, we used the minimum number of sniffing nodes to verify the effectiveness of our approach. In actual scenarios, multiple sniffing nodes can be arranged to increase the linking coverage area.

Comparison with related work: The present study is related to the problem of linking WS devices and mobile phones, which distinguishes it from previous studies that mainly focused on locating devices using BLE and WiFi signals, such as the studies by Zou et al. [19] and Cao et al. [20]. While the signals analyzed in these studies are similar, the purpose of analysis differs from that of our work. On the other hand, Nguyen et al. proposed a user device linking method using WiFi signals and video data called IdentityLink [4]. Although this study has a similar purpose to ours, the signals analyzed are different. In terms of linking accuracy, our approach outperforms IdentityLink with an accuracy of 68.75% compared to 60% for IdentityLink in the scenario where four users move simultaneously.

5. Discussion and Future Work

In this article, our approaches still have some limits, we propose some optimization tips for linking in actual deployment. In addition, in interference scenario, we propose a new interfere idea, which can be tried in future work.

Limitations of the experiments: In our experiments, we invited several participants to move in different trajectories, which is not real enough. As in a real environment, users’ movement trajectories will have a lot of irregular changes, so we cannot give all the examples. Therefore, we refer to reference [4] to give some typical movement trajectories to evaluate our approaches.

Tips in actual deployment: In our experiments, we chose an outdoor playground, an indoor hall, and an indoor corridor as linking scenarios. Comparing these three scenarios, the indoor corridor makes it easier to link devices because of its long and narrow shape, which limits the users’ movement. In actual deployment, we can also choose similar places, which can promote linking accuracy. In addition, we can deploy several sniffing nodes, which can expand the coverage area of sniffing, and keep sniffing for a long time, which can capture more sets of data to promote linking accuracy. In an active linking scenario, we choose a low-power jammer W2 for experiments, whose interference range is limited. If we want to employ the method in an actual deployment, we can choose a higher power commercial jammer.

Precision interference method: In our previous interference method, the interference frequency band of the jammer W2 was 2400–2485 MHz and 5725–5850 MHz, which covered the frequency band of BLE and the 2.4 G frequency band of WiFi. We employed W2 to interfere BLE signals and the connection was interrupted, so as to let the WS device have to send out broadcast packets. Because there are 37 data channels and the BLE communication with frequency hopping occurs in an unpredictable order, ordinary equipment makes it hard to track the sequence and parse the signals. However, we find that when the WS devices build the connection with the mobile phone, they will detect the channel state of the current environment. If they find that some channels are poor in quality, they will mark them and avoid transmitting signals on these channels. Therefore, if we can precision-interfere most channels by using a USRP (Universal Software Radio Peripheral) [21], it can reduce the number of channels. Furthermore, we can sniff the left channels to capture the signals. We can try this method in the future work.

6. Related Work

Device linking has emerged from the field of device identification. To identify mobile phones and IoT devices, many signals have been analyzed to extract device features. Jiang et al. [22] utilized speech recordings based on a support vector machine to identify mobile phones, and the accuracy rate can reach about 98%. Recently, Gu et al. [23,24] employed temperature-dependent characteristics of radio frequency fingerprints to identify mobile phones. Miettinen et al. [25] used random forests to identify 17 IoT devices by extracting TCP packet types and packet fields, achieving an accuracy of 97%. Aksoy et al. [26] proposed an automated IoT identification system SysID, which can identify IoT devices with 95% accuracy from a single packet. Becker et al. [27] used the BLE broadcast packet payload to extract tokens as identifiers, which remain constant over time, allowing for device tracking. Gagnon et al. [28] employed the distribution of received signal strength indication to identify BLE device with a 97% accuracy rate.

Based on identifying a single type of device, some researchers have focused on linking devices of different types. For example, papers [29,30] have analyzed the continuity protocol used for seamless switching between Apple devices, which can leak users’ privacy information, allowing the linking of one user’s different Apple devices. Ruiz et al. [31] have proposed an IoT device identification pairing system that uses a 2D camera to capture users’ action videos and a 3D inertial sensor to capture users’ action data and match these two types of data to pair devices without authentication. At present, some studies [32,33] have focused on how to combine BLE and WiFi to work together for IoT devices. Some other studies have fused BLE and WiFi signals to locate users’ devices but have not linked the devices. Kriz et al. [34] used BLE to assist WiFi localization earlier and improved the localization accuracy by 23% in the case of 17 BLE beacons. Cao et al. [20] proposed an adaptive Bluetooth/Wi-Fi fingerprint positioning method based on Gaussian process regression and relative distance, which can choose trusted positioning results for fusion. Azaddel et al. [35] proposed a novel asynchronous and independent WiFi and BLE fusion method based on a particle filter (SPOTTER), which includes a new architecture and fusion algorithm. This system can promote the accuracy by 35%. These location technologies can not link two types of devices, but they can provide us with two types of signal fusion analysis ideas. In a nutshell, our work focuses on linking WS devices and mobile phones, a task that differs from previous studies, which have focused on device location by analyzing two types of signals.

7. Conclusions

This paper proposes two approaches for linking wearable smart devices and mobile phones by sniffing Bluetooth Low-Energy broadcast packets. The first approach is a passive-sniffing-based linking method, where Bluetooth Low-Energy signals of wearable smart devices and WiFi signals of mobile phones are captured, and the signal change trend is analyzed to link the devices. The active-interference-based linking method proposed in this study involves estimating the user’s location and interfering with the Bluetooth Low-Energy communication to initiate reconnection and subsequently send out broadcast packets. Both approaches are evaluated in indoor and outdoor scenarios. In indoor corridors, the accuracy is greater than 85% when the users are more than 3 m apart. In outdoor playgrounds, the linking accuracy rate exceeds 80% when the user appears more than twice, and the accuracy rate approaches 100% after 12 observations. Moreover, the proposed methods can link four wearable smart devices with more than 70% accuracy. Just as one coin has two sides, our approaches also have limitations. The approaches are sensitive to the number of users, due to the WiFi signals and BLE signals being easily affected by the shielding of the user’s body. When we meet too many persons together, the effectiveness of our approaches will be reduced. In addition, we simulated some movement scenarios in the experiments, but it was not real enough, as the actual movement of the user is often irregular and difficult to predict. We have to refer to the references to give some typical movement trajectories to evaluate our approaches. Last but not least, to prevent the disclosure of private information, we should try not to connect to free WiFi in public places.