25 July, 2019

Apple bleee. Everyone knows What Happens on Your iPhone

Description Our way

Users value their privacy, and Apple understands that. We even see related PR activities.

“What happens on your iPhone, stays on your iPhone.” Let’s see if it’s true.

TL;DR

If Bluetooth is ON on your Apple device everyone nearby can understand current status of your device, get info about battery, device name, Wi-Fi status, buffer availability, OS version and even get your mobile phone number

Introduction and motivation

Apple devices are appreciated for the ecosystem that connects them all. It really is very convenient to start using an app on one device and continue on another. Plus, you still have access to your files even when you’re offline. It seems to contradict the “What happens on your iPhone, stays on your iPhone” policy, doesn’t it?

So, let’s find out how Apple’s privacy actually works.

Wireless. Wireless everywhere.

If you want to share a photo with a friend of yours, how does your iPhone know that it’s actually their device nearby? How does your MacBook see you’ve run Safari on your phone? The answer is quite simple: Bluetooth and Wi-Fi. Apple devices constantly send out large data packets via Bluetooth LE. Even if you’re not currently using your iPhone, communication still takes place.

In this research, we’ve analyzed what kinds of data we can obtain by listening to Bluetooth LE frequencies.

Nearby

Let’s consider a simple attack scenario. What an attacker could find out if they’re were in the same subway car with you?
We know that your phone sends lots of data via BLE even when it’s on hold. It includes phone status, Wi-Fi status, buffer availability, OS version, and so on. The same goes for your MacBook, Apple Watch, and AirPods.

See how it happens.

AirDrop

AirDrop is a technology that allows Apple users to share files without Internet access. There’s no registration, and the service is anonymous and secure. Or is it? We already know that it’s possible to receive unsolicited content while taking a metro¬†and that Generation Z uses AirDrop to cheat on exams.

Well, AirDrop seems to be less anonymous than we thought. It’s possible to identify you: your phone sends out SHA256 your phone number hash to all the devices around you every time you hit Share.

Here’s what an attacker could do:

  1. Create a database of SHA256(phone_number):phone_number for their region; e.g., for Los Angeles it’s: (+1-213-xxx-xxxx, +1-310-xxx-xxxx, +1-323-xxx-xxxx, +1-424-xxx-xxxx, +1-562-xxx-xxxx, +1-626-xxx-xxxx, +1-747-xxx-xxxx, +1-818-xxx-xxxx, +1-818-xxx-xxxx)
  2. Run a special script on the laptop and take a subway train
  3. When somebody attempts to use AirDrop, get the sender’s phone number hash
  4. Recover the phone number from the hash
  5. Contact the user in iMessage; the name can be obtained using TrueCaller or from the device name, as it often contains a name, e.g., John’s iPhone).

Just watch the demo!

Wi-Fi password sharing

Another thing Apple users can do is share Wi-Fi passwords. You just have to choose a network from the list, and your device will start sending Bluetooth LE requests to other devices asking them for the password. How does your friend know that the person requesting a password is you? Broadband BLE requests contain your data, namely, SHA256 hashes of your phone number, AppleID, and email. Only the first 3 bytes of the hashes are sent, but that’s enough to identify your phone number (actually, the number is recovered from HLR requests that provide phone number status and region).

Is it possible to make the victim’s device try to connect to a Wi-Fi network and thus force it into sending BLE requests? That’s an open issue.

Watch the demo!

Bidirectional

As you know, an iPhone not only sends a lot of BLE requests but also receives them. This can be used by an attacker to disguise themselves as a certain device.

For example, as AirPods

or a friend’s phone, to get the password to the corporate Wi-Fi

Protection

This behavior is more a feature of the work of the ecosystem than vulnerability.
We’ve detected this behavior in the iOS versions starting from 10.3.1 (including iOS 13 beta).
Unfortunately, the only thing you can do is to turn off Bluetooth on your device.
But also we noticed that the old devices (like all before iPhone 6s) are not sending BLE messages continuously even if they have updated OS version. They send only limited number of messages (for example when you navigate to the Wi-Fi settings menu) probably Apple does that to save battery power on an old devices.

PoCs

You can find all scripts in our GitHub repository: Apple bleee

Links

Here are links to resources about the protocols used by Apples devices:

Description Our way