58 comments

[ 2.7 ms ] story [ 105 ms ] thread
(comment deleted)
Awesome and neat hack, though not really a big surprise. I wonder why apple does not sign the requests with an internal hardware key or something though, given that an Apple TV should have a secure enclave of some kind?
An advertising beacon is too small to contain a message and a signature.
I dont think there is much of a message in there, its just a iBeacon packet type.

Just using the default iBeacon structure - you could have a hash tucked into the major/minor bytes (4 bytes tot) which would correspond to a value blasted out by Avahi on the network the AppleTV is connected to. You could also just blast out a list of valid iBeacon UUID'a out in the same way.

Requiring your phone be on wifi and be on the same network at the AppleTV would allow for that.

You could even, for example have a ATV device trying to connect require an AppleID and a network connection which could cause a valid iBeacon UUID be seeded to the mobile devices attached to that account.

That all said, There does appear to be a handshake before data is sent, because at that point is no longer a BLE iBeacon being used to send the data, you would need to connect to the device - which would involve either pairing or a handshake. So this appears to just be a nuisance attack, rather than a actual attack.

If you go to defcon and still naive enough to share your password with a random popup, maybe you shouldn’t be there in the first place.
There’s nothing here that requires it to be done at DEF CON or to people who in theory are smart enough to understand how to not be hacked.
DEF CON isn't what it once was, it's something like 30,000 people that are not all hackers necessarily. I agree people should be smart enough but some people are there for their first time and are interested in learning about security.
Doing it at Defcon is a show. The point isn't really to actually collect passwords there, it's to demonstrate what's possible in the rest of the world, where people absolutely will.
So you get asked to share a password, and if you choose to do so, you share a password! What will they think of next!
That's a pretty obtuse way to describe phishing, one of the industry's simplest and most devastatingly effective hacking methods to this day.
So you get emailed a usually pretty obvious fake website, you are asked to login, and if you login you leak your password! Surely nobody would fall for this!
Yes! Tune in next week, when we blame the website for this!
Glad I’m not going crazy and when this was happening at DEF CON it really was someone doing research as I suspected
When I'm at Def Con I'm setting my phone on Airplane mode... of course on an iPhone that is actually useless with the default settings

https://support.apple.com/en-us/HT204234

>Turning on Airplane Mode, turns off all radios except for Bluetooth. If you turn off Bluetooth while you're in Airplane Mode, your device will remember that and will turn off Bluetooth the next time that you turn on AirPlane Mode.

2020, https://news.ycombinator.com/item?id=37113807

> If Bluetooth is ON on your Apple device everyone nearby can understand current status of your device, get info about battery, device name, Wi-Fi status, buffer availability, OS version and even get your mobile phone number.

2019, https://www.idownloadblog.com/2019/11/12/airplay-tvs-tutoria... & https://old.reddit.com/r/ios/comments/nlsf0z/how_to_prevent_...

> AirPlay can automatically play video on nearby TVs, but that’s not always the behavior you might want. Learn how to stop your iPhone, iPad or iPod touch from automatically playing video on any frequently used AirPlay TVs in your household.

That's the really disturbing part of all this. As a user you can take reasonable steps to ensure that you're not vulnerable - switch your bluetooth off but your device straight up lies to you saying it's off while it's leaking data and making you vulnerable.
Apple also makes it deliberately annoying to pseudo-disable Bluetooth.
The problem with the bluetooth switch (or "bluetooth headphone switch" in most peoples' mind) is that if it switched off BT completely people would be surprised when their watch stopped talking to their phone, or they couldn't airdrop to their neighbor etc.

Perhaps I should have written "problem" with quotes. The control center does what most people think they want. It used to be that when you enabled airplane mode on your watch it set it for your phone too, but you had to get out out of airplane mode on each device. Makes sense to me, but apparently not to everyone, so I was amazed when disabling airplane mode on your watch did the same on the phone. At least it highlights the absurdity of airplane mode.

Apart from my own belief that "no means no" when it refers to radios in my devices, I'm also disappointed in the other data that are shared. The phone number, for example, AFAICT is used for joining secured wifi: if you join a network, everybody around you who's connected to that network is asked if they would like to share the password with you (you don't even see it). A handy feature, but not one implemented in a privacy-protecting way (shame on you, Apple!)

> It used to be that when you enabled airplane mode on your watch it set it for your phone too, but you had to get out out of airplane mode on each device. Makes sense to me, but apparently not to everyone, so I was amazed when disabling airplane mode on your watch did the same on the phone.

This might be surprising, but it makes sense to me. If your device is in "airplane mode" it should not transmit, but can still receive. So, a BLE message from your watch telling your phone to exit airplane mode can be received and acted on. Same with disabling enabling it on your watch until it knows it has set it for your phone/other devices.

I would expect disabling bluetooth (ignoring cc toggle lies) to work the way you describe though.

> I was amazed when disabling airplane mode on your watch did the same on the phone. At least it highlights the absurdity of airplane mode.

Yeah, Apple perhaps more than anyone else will look at "Airplane mode" not as "turn off all radios" but rather "put device into a state compliant with various aviation regulations".

It’s been around for years and it’s a lot of data to leak.

Also UI interface of these features is super confusing.

The worst is when I try to share something over AirPlay and there is a bunch devices named like iPhone (3) and iPad (2) and as I figure out which one I want to share with it discovers another device and as I click the icons shift and I no longer know whom I shared a file with.

(comment deleted)
My understanding is the spoof prompts you to enter your device passcode, but the passocde isn’t actually transmitted to the spoofer?
The passcode is not, but its prompting you to share a password with your “Apple TV” so that password will be shared.
That seems a little goofy. Why don't they just rendezvous in the cloud such that the authentication on the iPhone is imputed upon the Apple TV, without the Apple TV ever possessing the password? This is how all other streaming things I own work.
To rendezvous with the cloud, it needs a network connection first. This pop-up is meant to transmit the network password your iPhone uses so the factory reset Apple TV can establish its own network connection.
What is the little circular attachment on the iPhone?
jeez where are you getting a pi zero 2 for under $70
$15 at MicroCenter. They get new stock pretty regularly too. The og zero is $5.
I was confused about the $70 dollars in the headline because I remember doing the same thing with a ~$5 BLE dongle 6 years ago. Turns out they included the cost of the RPi that the dongle is connected to.
Funny that the article doesn’t call out that the disconnect Bluetooth button in control center is a dark pattern designed to get you to leave Bluetooth on.

I had to create a shortcut to turn off Bluetooth so I don’t have to go through the Settings app.

Apple also re-enables Bluetooth on every iOS update.

Does Apple have an interest in Bluetooth always being on? Is this meant to ensure that Airtags work well (even if the phone's owner does not use one)?
I also don’t like the fact how the toggles work but yes apple has an interest in bluetooth/wifi beeing always on - the apple watch for example. Not so tech savvy people would disable bluetooth/wifi not realizing that this also disconnects the watch. There are probably way more features in the apple ecosystem relying on bluetooth/wifi
Mostly for the Apple Watch.
And AirPods, AirDrop, Apple TV Remote, carkit etc. I think we’re well past the point of Bluetooth being optional.
They do, they collect metadata of Bluetooth devices and other wireless SSIDs to report back to [redacted]
This but also don’t forget AirTag , find my network, and watch is still connected even when the button is greyed out.
The watch works even if the phone is in another state, as long as both have WiFi. I have no idea about AirTag.
The Watch has a number of integrations which depend on Bluetooth - it uses less power and most people do not live with continuous perfect Wi-Fi coverage.
This is a conspiracy theory. In the absence of evidence, it’s just a distraction from the topic of this thread.
Unfortunately the evidence exists. It's from [Location Services & Privacy - Apple](https://www.apple.com/legal/privacy/data/en/location-service...):

> Location Services uses GPS and Bluetooth (where those are available) along with crowd-sourced Wi-Fi hotspot and cell tower locations to determine your device’s approximate location.

> If Location Services is on, your iPhone will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers (where supported by a device) in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations.

> The crowd-sourced location data gathered by Apple does not personally identify you.

That’s not what the original poster was alluding to.
Fully disabling BT is a niche feature imo, for me the button does exactly what i want: disconnect bt devices. I still like airdrop to work etc.

So, I think this is exactly how it should be. If you for some reason want to fully disable BT, which is weird for avarage users, you need to put it some effort

I don't use an iPhone, so does the option say 'disconnect' or 'disable'. On Android the switch says Bluetooth On/Off. I would expect this setting to turn off completely Bluetooth if set to off. Not some oh, it's off but not really off if you get what I mean setting.
When you press the BT button in control center it shows a message saying "Disconnecting Bluetooth Devices Until Tomorrow"
iOS has both. The one in the control panel says it’s disconnecting Bluetooth devices until the next day. Airplane mode and the toggle in the settings app fully turn it off.
What’s the "dark pattern"?

Do you think more people would be surprised if hitting that button disconnected their Apple Watch, or left it connected?

And what is your reason for needing to turn Bluetooth all the way off?
It wastes battery when I have no BT devices. It is also a privacy and security threat.
It’s interesting, but the whole point of BLE was supposed to be interoperability.

The original concept was that there would a standard set of published profiles defining services and characteristics.

As a hardware manufacturer you could build a device that matched these profiles and then you would advertise your services to anyone nearby.

Software developers would code against these profiles services and characteristics and be able to use any matching hardware.

It’s kind of worked for some things. But mostly everyone wants to keep people in their own ecosystem - so you end up with either crappy hardware and or crappy software that you are locked into.

I do a lot of BLE reverse engineering and this pisses me off endlessly. The only place I find standard characteristics are some sensors and the occasional light switch. The VAST majority of devices are doing custom protocols over RX/TX characteristics, with the occasional "BLE Mesh" being thrown in, I'm guessing just to drain my will to live.
Good luck asking people to turn off BT. It’s a faf having to do that in an era of smartwatches and wireless headphones.