CreedX
Unknown
- Messages
- 233
- Reaction score
- 228
- Points
- 43
Apple is actively introducing to the masses the idea that now, with the privacy of the data of users of their products, everything is in order. But researchers at Hexway have found that the standard and widely used Bluetooth LE (BLE) mechanism allows you to learn quite a lot about your iPhone.
PS: Not responsible for any action you take, this is for educational purpose
If Bluetooth is turned on, then anyone within range of the signal can find out:
This is most likely due to the new 'Find my' feature announced this year ( Apple's 'Find My' Feature Uses Some Very Clever Cryptography | WIRED ). Its essence is to create an ecosystem of Apple devices that exchange information with each other via BLE to be able to track stolen and lost devices without using GPS and mobile communication channels, even when they are turned off . Although it was stated that
This is most likely due to the new 'Find my' feature announced this year ( Apple's 'Find My' Feature Uses Some Very Clever Cryptography | WIRED ). Its essence is to create an ecosystem of Apple devices that exchange information with each other via BLE to be able to track stolen and lost devices without using GPS and mobile communication channels, even when they are turned off . Although it was stated that
Advertise package structure
0x05 — Airdrop
0x07 — Airpods
0x10 — Nearby
0x0b — Watch Connection
0x0c — Handoff
0x0d — Wi-Fi Settings
0x0e — Hotspot
0x0f — Wi-Fi Join Network
You can also get statuses from Nearby packages:
0x0b — Home screen
0x1c — Home screen
0x1b — Home screen
0x11 — Home screen
0x03 — Off
0x18 — Off
0x09 — Off
0x13 — Off
0x0a — Off
0x1a — Off
0x01 — Off
0x07 — Lock screen
0x17 — Lock screen
0x0e — Calling
0x5b — Home screen
0x5a — Off
As a result, you can create a simple BLE packet analyzer:
Presumably, Apple devices hash all contacts and compare them with those received in the advertise packet. When device B receives a packet with matching contact hashes, device B will offer the network connection password to device A.
If you generate a table of hashes of phone numbers for a specific region (about several million), then for the first 3 bytes of the hash, you can get a collision of the order of several tens of numbers per hash. There are two ways to check the correctness of the numbers:
In this case, AirDrop is used only to initiate the transfer, for the very same data transfer, a peer2peer connection via Wi-Fi (AWDL - Apple Wireless Direct Link) is used.
During authentication, the sender sends sender's record data credentials to verify the recipient's privacy settings. This message contains the complete SHA256 hash of the sender. Thus, an attacker can respond to all other people's AirDrop BLE requests, receiving full hashes of numbers.
How AirDrop works:
At the moment, there is no way to prevent data leaks other than turning off Bluetooth. However, this behavior is typical of iOS versions 10.3.1 and higher (including iOS 13 beta). Older devices (before the iPhone 6s) also use this functionality, but with a limited number of messages, possibly to conserve battery power.
Thanks for attention!
PS: Not responsible for any action you take, this is for educational purpose
If Bluetooth is turned on, then anyone within range of the signal can find out:
- device status;
- charge information;
- device name;
- Wi-Fi status;
- buffer availability;
- iOS version;
- phone number.
This is most likely due to the new 'Find my' feature announced this year ( Apple's 'Find My' Feature Uses Some Very Clever Cryptography | WIRED ). Its essence is to create an ecosystem of Apple devices that exchange information with each other via BLE to be able to track stolen and lost devices without using GPS and mobile communication channels, even when they are turned off . Although it was stated that
This is most likely due to the new 'Find my' feature announced this year ( Apple's 'Find My' Feature Uses Some Very Clever Cryptography | WIRED ). Its essence is to create an ecosystem of Apple devices that exchange information with each other via BLE to be able to track stolen and lost devices without using GPS and mobile communication channels, even when they are turned off . Although it was stated that
Examples of current attack vectors
AirDrop
This technology allows you to exchange files between Apple devices without an Internet connection. On every share, the device sends your phone hash in SHA256. Thus, having created a database of phone numbers (hash: phone number), you can do quite efficiently catching phones in crowded places ... and send personalized messages to their owners via iMessage (the owner's name can be obtained via TrueCaller or from the device name). The profit for the stores is more than obvious: sending spam to everyone passing by.Getting Wi-Fi passwords
When connected to an Apple Wi-Fi network, the device sends a broadcast request, and an Apple-friendly device can help you access this network if the user wants it. If you receive 3 bytes of hashes of one employee and, when trying to connect to the corporate network, make a broadcast with the received data, then perhaps another employee will be very kind and, having seen a familiar name in the request, will share the password with you.How it works
BLE packet analysis
By modifying the scripts from the py-bluetooth-utils package, you can view the BLE traffic sniffer. Apple uses ADV_IND messages to send device status.Advertise package structure
Nearby messages
Example of message types:0x05 — Airdrop
0x07 — Airpods
0x10 — Nearby
0x0b — Watch Connection
0x0c — Handoff
0x0d — Wi-Fi Settings
0x0e — Hotspot
0x0f — Wi-Fi Join Network
You can also get statuses from Nearby packages:
0x0b — Home screen
0x1c — Home screen
0x1b — Home screen
0x11 — Home screen
0x03 — Off
0x18 — Off
0x09 — Off
0x13 — Off
0x0a — Off
0x1a — Off
0x01 — Off
0x07 — Lock screen
0x17 — Lock screen
0x0e — Calling
0x5b — Home screen
0x5a — Off
As a result, you can create a simple BLE packet analyzer:
Wi-Fi
When trying to connect to Wi-Fi from device A, a packet of the following structure is sent, containing the first three bytes from SHA256 hashes AppleID (5-7 bytes), phone number (8-11 bytes), email (12-14 bytes):Presumably, Apple devices hash all contacts and compare them with those received in the advertise packet. When device B receives a packet with matching contact hashes, device B will offer the network connection password to device A.
If you generate a table of hashes of phone numbers for a specific region (about several million), then for the first 3 bytes of the hash, you can get a collision of the order of several tens of numbers per hash. There are two ways to check the correctness of the numbers:
- Some of the numbers can be excluded by checking them through the HLR ( HLR Lookup - Front Page - Index ).
- Since the number must be tied to the AppleID, you can check it through iMessage.
AirDrop
Apple AirDrop has three privacy settings:- Receiving Off.
- Contacts Only.
- Everyone
In this case, AirDrop is used only to initiate the transfer, for the very same data transfer, a peer2peer connection via Wi-Fi (AWDL - Apple Wireless Direct Link) is used.
During authentication, the sender sends sender's record data credentials to verify the recipient's privacy settings. This message contains the complete SHA256 hash of the sender. Thus, an attacker can respond to all other people's AirDrop BLE requests, receiving full hashes of numbers.
How AirDrop works:
To summarize
Only some of the information leaks that are possible with the use of BLE are considered. At the moment, it is difficult to call this a vulnerability, rather, a poorly thought-out implementation of Apple's new ecosystem. What, in principle, they themselves said:At the moment, there is no way to prevent data leaks other than turning off Bluetooth. However, this behavior is typical of iOS versions 10.3.1 and higher (including iOS 13 beta). Older devices (before the iPhone 6s) also use this functionality, but with a limited number of messages, possibly to conserve battery power.
Thanks for attention!
