Bluetooth Fingerprint Identification Under Domain Shift Through Transient Phase Derivative

Basic Information

• Paper ID: 2510.09940
• Title: Bluetooth Fingerprint Identification Under Domain Shift Through Transient Phase Derivative
• Authors: Haytham Albousayri, Bechir Hamdaoui, Weng-Keen Wong, Nora Basha (Oregon State University)
• Classification: eess.SP (Electrical Engineering and Systems Science - Signal Processing), cs.CR (Computer Science - Cryptography and Security)
• Publication Date: October 11, 2025 (arXiv preprint)
• Paper Link: https://arxiv.org/abs/2510.09940

Abstract

Deep learning-based radio frequency fingerprinting (RFFP) has emerged as an important physical layer security technique enabling device identification and authentication through received RF signals. However, this technology faces significant challenges in adapting to domain shifts such as time, location, environment, receiver, and channel variations. For Bluetooth Low Energy (BLE) devices, addressing these challenges is particularly critical due to the frequency-hopping nature of the BLE protocol. This work presents the first investigation into the impact of frequency hopping on RFFP for BLE devices and proposes a novel, low-cost domain-adaptive feature extraction method. The method achieves up to 58% improvement in cross-environment classification accuracy and up to 80% improvement in cross-receiver classification accuracy compared to existing baselines.

Research Background and Motivation

1. Problem Definition

Radio frequency fingerprinting (RFFP) technology leverages unique signal characteristics produced by hardware imperfections to identify devices. However, existing methods experience dramatic performance degradation when facing domain shifts. Particularly for BLE devices, their frequency-hopping characteristics make device identification across different frequency channels an insufficiently studied challenge.

2. Problem Significance

• Security Threats: BLE devices are vulnerable to pairing vulnerabilities, data transmission attacks, and connection protocol attacks
• Domain Adaptation Challenges: Classification accuracy drops significantly when training and testing conditions mismatch
• Practical Requirements: Existing methods struggle to maintain stable performance in real-world large-scale deployments

3. Limitations of Existing Methods

• Deep learning models using raw I/Q data exhibit poor generalization capability
• Existing research primarily focuses on WiFi and LoRa with insufficient BLE investigation
• Lack of systematic study on the impact of BLE frequency-hopping behavior
• Small evaluation scale (typically fewer than 20 devices), inadequate for practical applications

4. Research Motivation

This work aims to address the robustness of BLE RFFP under domain shifts, with particular focus on the effects of frequency hopping, environmental changes, and receiver differences.

Core Contributions

1. Novel Data Representation Method: Proposes Transient and Preamble Phase Derivative (TPD) representation, effectively addressing domain variability issues
2. Comprehensive BLE Dataset: Collects BLE frame data from 31 IoT devices across different environments, receivers, and frequency channels
3. Frequency Hopping Adaptability: First experimental evaluation of frequency hopping's impact on BLE RFFP, demonstrating robustness to frequency-hopping-induced domain shifts
4. Environmental Adaptability: Maintains high classification accuracy under environmental changes, even when training indoors and testing outdoors or using different receivers

Methodology Details

Task Definition

Given RF signals transmitted by BLE devices, accurately identify the source device in the presence of domain shifts (frequency channels, environments, receivers).

BLE Hardware Imperfection Modeling

Ideal GFSK Modulation

BLE employs Gaussian Frequency Shift Keying (GFSK) modulation, with the ideal baseband angle-modulated signal:

x(t) = xI(t) + jxQ(t) = cos(φ(t)) + j sin(φ(t))

where φ(t) = 2πfm∫₀ᵗg(t)dt is the instantaneous angle deviation function.

Actual Hardware Imperfections

Considering hardware imperfections, the received distorted baseband signal is:

ỹ(t) = [ỹI(t) + jỹQ(t)] e^(j(2πfCFOt+θPO))

containing the following major imperfections:

• Carrier Frequency Offset (CFO): fCFO
• Phase Offset: θPO
• IQ Imbalance: IQAmp, IQPhase
• DC Offset: IDC, QDC
• Peak Frequency Deviation Error: ∆f = f̃m - fm
• Bandwidth-Duration Product Deviation: B̃T deviation

TPD Feature Extraction Method

Core Concept

The TPD method computes phase derivatives of the transient and preamble portions as device features:

1. Phase Estimation: σ(t) = unwrap(∠ỹ(t))
2. Phase Derivative: TPD(t) = dσ(t)/dt

Theoretically, TPD can be approximated as:

TPD(t) ≈ 2πfCFO + dθPO/dt + 2πf̃mg̃(t)

Discrete-Time Domain Implementation

For discrete signals yn:

1. Extract the first L samples (transient + preamble)
2. Compute phase: σn = unwrap(∠yn)
3. Obtain TPD via differencing: TPDn = σn - σn-1

Method Advantages

• Channel-Independent: Derivative operation eliminates static phase offsets
• Content-Independent: Avoids overfitting to PDU content
• Computationally Efficient: Processes only fixed-length preamble portion
• Fixed Dimensionality: Ensures consistent training data input dimensions

CNN Classifier Architecture

• 5 Convolutional Blocks: Comprising 1D convolution, batch normalization, LeakyReLU activation, and max pooling
• 2 Fully Connected Layers: With dropout for overfitting prevention
• Optimizer: SGD with exponential decay learning rate
• Training Parameters: 25 epochs, batch size 64

Experimental Setup

Dataset

• Device Count: 31 Seeed Studio XIAO ESP32-C3 devices
• Receivers: 2 Ettus USRP B210 units
• Sampling Parameters: 6MS/s sampling rate, 2MHz bandwidth
• Warm-up Period: 6 minutes stabilization + 2 minutes data collection per device
• Frequency Channels: Ch1(2.406GHz), Ch2(2.408GHz), Ch14(2.434GHz), Ch32(2.470GHz)

Experimental Scenarios

1. Environment Variation: Wired indoor vs. wireless outdoor (1m-3m distance)
2. Channel Variation: Frequency hopping across different BLE channels
3. Receiver Variation: Differences between different USRP devices

Comparison Methods

• Raw IQ: Using complete raw I/Q data
• TP: Using only transient and preamble raw I/Q
• Mbed: Feature combination including magnitude, phase, and power spectral density

Evaluation Metrics

Classification accuracy (correctly classified samples / total samples)

Experimental Results

Main Results

Cross-Channel Adaptability

• TPD maintains 80-95% accuracy when training and testing across different channels
• Raw IQ method accuracy drops below 10% (severe overfitting to PDU content)
• TPD shows 20-58% improvement over TP and Mbed methods

Cross-Environment Adaptability

• Indoor training → outdoor testing: TPD maintains 70-75% accuracy
• 40-45% improvement over TP, approximately 50% over Mbed
• Stable performance across different distances

Cross-Receiver Adaptability

• TPD maintains 99% accuracy across different receivers
• Mbed drops from 95% to 88%, TP from 98% to 81%
• Demonstrates excellent receiver-independence

Ablation Studies

Hardware Imperfection Sensitivity Analysis

Simulation verification of TPD's capability to capture various hardware imperfections:

• CFO: Produces vertical offset in TPD representation, enabling device discrimination
• IQ Imbalance: Results in sharper pulse transitions, slope reversal at negative values
• DC Offset: Introduces different distortion patterns
• Peak Frequency Deviation: Larger errors produce greater TPD amplitude
• BT Product: Affects preamble peak and transition speed

Scalability Analysis

As device count increases (6→31), accuracy monotonically decreases, but TPD shows minimal degradation compared to other methods.

Computational Efficiency Comparison

TPD demonstrates optimal performance in training and inference speed.

Related Work

Current State of RFFP Research

• Early Research: Primarily focused on feasibility verification for LoRa and WiFi technologies
• Domain Adaptation Methods: Power spectral envelope, short-time Fourier transform, attention mechanisms
• Insufficient BLE Research: Existing work limited to narrow use cases, lacking frequency-hopping impact studies

Innovations of This Work

• First systematic investigation of frequency hopping's impact on BLE RFFP
• Proposes simple yet effective domain-adaptive feature extraction method
• Large-scale device evaluation (31 devices vs. commonly <20)

Conclusions and Discussion

Main Conclusions

1. TPD method effectively addresses domain adaptation in BLE RFFP
2. Frequency hopping, environmental changes, and receiver differences significantly impact traditional methods
3. Simple phase derivative features outperform complex feature combinations
4. Method exhibits good computational efficiency and scalability

Limitations

1. Wireless Environment Bias: Some devices exhibit biased misclassification in wireless environments
2. Channel Distance Effect: Accuracy decreases as test channel distance from training channel increases
3. Large-Scale Device Challenges: Accuracy monotonically decreases with increasing device count
4. Channel Equalization Requirements: Wireless environments may require additional equalization techniques

Future Directions

1. Advanced Equalization Techniques: Compensate for channel-induced distortions
2. Larger-Scale Evaluation: Verify method performance on hundreds of devices
3. Real-Time Deployment: Application validation in real IoT environments
4. Multimodal Fusion: Combine other physical layer features to enhance robustness

In-Depth Evaluation

Strengths

1. Strong Problem Targeting: First systematic investigation of BLE frequency hopping impact, filling important research gap
2. Simple and Effective Method: TPD method has clear principles, simple implementation, and significant effectiveness
3. Comprehensive Experiments: Covers multiple domain shift scenarios with reasonable comparison methods
4. In-Depth Theoretical Analysis: Explains TPD effectiveness from hardware imperfection perspective
5. High Practical Value: Good computational efficiency suitable for real deployment

Weaknesses

1. Single Device Type: Tests only one ESP32-C3 device type, generalization capability requires verification
2. Insufficient Wireless Environment Analysis: Lacks deep analysis of biased misclassification in wireless environments
3. Missing Adversarial Evaluation: Does not consider robustness under malicious attacks
4. Unknown Long-Term Stability: Lacks analysis of long-term factors such as device aging and temperature variations

Impact

1. Academic Contribution: Provides important technical breakthrough for BLE security and RFFP fields
2. Practical Value: Offers low-cost, efficient solution for IoT device authentication
3. Reproducibility: Authors commit to releasing dataset and code, promoting subsequent research

Applicable Scenarios

• IoT Device Authentication: Smart homes, industrial IoT environments
• Network Access Control: Enterprise wireless network security
• Device Tracking Protection: Device identification in privacy-preserving scenarios
• Edge Computing: Lightweight authentication in resource-constrained environments

References

The paper cites 21 relevant references covering important works in BLE security, RFFP technology, and deep learning, providing solid theoretical foundation for the research.

Overall Assessment: This is a high-quality research paper on RF fingerprinting for BLE devices with significant contributions in method innovation, experimental validation, and practical value. The proposed TPD method fills a research gap in BLE RFFP domain adaptation, providing valuable technical solutions for IoT security.