Awesome and neat hack, though not really a big surprise. I wonder why apple does not sign the requests with an internal hardware key or something though, given that an Apple TV should have a secure enclave of some kind?
I dont think there is much of a message in there, its just a iBeacon packet type.
Just using the default iBeacon structure - you could have a hash tucked into the major/minor bytes (4 bytes tot) which would correspond to a value blasted out by Avahi on the network the AppleTV is connected to. You could also just blast out a list of valid iBeacon UUID'a out in the same way.
Requiring your phone be on wifi and be on the same network at the AppleTV would allow for that.
You could even, for example have a ATV device trying to connect require an AppleID and a network connection which could cause a valid iBeacon UUID be seeded to the mobile devices attached to that account.
That all said, There does appear to be a handshake before data is sent, because at that point is no longer a BLE iBeacon being used to send the data, you would need to connect to the device - which would involve either pairing or a handshake. So this appears to just be a nuisance attack, rather than a actual attack.
DEF CON isn't what it once was, it's something like 30,000 people that are not all hackers necessarily. I agree people should be smart enough but some people are there for their first time and are interested in learning about security.
Doing it at Defcon is a show. The point isn't really to actually collect passwords there, it's to demonstrate what's possible in the rest of the world, where people absolutely will.
So you get emailed a usually pretty obvious fake website, you are asked to login, and if you login you leak your password! Surely nobody would fall for this!
>Turning on Airplane Mode, turns off all radios except for Bluetooth. If you turn off Bluetooth while you're in Airplane Mode, your device will remember that and will turn off Bluetooth the next time that you turn on AirPlane Mode.
> If Bluetooth is ON on your Apple device everyone nearby can understand current status of your device, get info about battery, device name, Wi-Fi status, buffer availability, OS version and even get your mobile phone number.
> AirPlay can automatically play video on nearby TVs, but that’s not always the behavior you might want. Learn how to stop your iPhone, iPad or iPod touch from automatically playing video on any frequently used AirPlay TVs in your household.
That's the really disturbing part of all this. As a user you can take reasonable steps to ensure that you're not vulnerable - switch your bluetooth off but your device straight up lies to you saying it's off while it's leaking data and making you vulnerable.
The problem with the bluetooth switch (or "bluetooth headphone switch" in most peoples' mind) is that if it switched off BT completely people would be surprised when their watch stopped talking to their phone, or they couldn't airdrop to their neighbor etc.
Perhaps I should have written "problem" with quotes. The control center does what most people think they want. It used to be that when you enabled airplane mode on your watch it set it for your phone too, but you had to get out out of airplane mode on each device. Makes sense to me, but apparently not to everyone, so I was amazed when disabling airplane mode on your watch did the same on the phone. At least it highlights the absurdity of airplane mode.
Apart from my own belief that "no means no" when it refers to radios in my devices, I'm also disappointed in the other data that are shared. The phone number, for example, AFAICT is used for joining secured wifi: if you join a network, everybody around you who's connected to that network is asked if they would like to share the password with you (you don't even see it). A handy feature, but not one implemented in a privacy-protecting way (shame on you, Apple!)
> It used to be that when you enabled airplane mode on your watch it set it for your phone too, but you had to get out out of airplane mode on each device. Makes sense to me, but apparently not to everyone, so I was amazed when disabling airplane mode on your watch did the same on the phone.
This might be surprising, but it makes sense to me. If your device is in "airplane mode" it should not transmit, but can still receive. So, a BLE message from your watch telling your phone to exit airplane mode can be received and acted on. Same with disabling enabling it on your watch until it knows it has set it for your phone/other devices.
I would expect disabling bluetooth (ignoring cc toggle lies) to work the way you describe though.
> I was amazed when disabling airplane mode on your watch did the same on the phone. At least it highlights the absurdity of airplane mode.
Yeah, Apple perhaps more than anyone else will look at "Airplane mode" not as "turn off all radios" but rather "put device into a state compliant with various aviation regulations".
It’s been around for years and it’s a lot of data to leak.
Also UI interface of these features is super confusing.
The worst is when I try to share something over AirPlay and there is a bunch devices named like iPhone (3) and iPad (2) and as I figure out which one I want to share with it discovers another device and as I click the icons shift and I no longer know whom I shared a file with.
That seems a little goofy. Why don't they just rendezvous in the cloud such that the authentication on the iPhone is imputed upon the Apple TV, without the Apple TV ever possessing the password? This is how all other streaming things I own work.
To rendezvous with the cloud, it needs a network connection first. This pop-up is meant to transmit the network password your iPhone uses so the factory reset Apple TV can establish its own network connection.
I was confused about the $70 dollars in the headline because I remember doing the same thing with a ~$5 BLE dongle 6 years ago. Turns out they included the cost of the RPi that the dongle is connected to.
Funny that the article doesn’t call out that the disconnect Bluetooth button in control center is a dark pattern designed to get you to leave Bluetooth on.
I had to create a shortcut to turn off Bluetooth so I don’t have to go through the Settings app.
Apple also re-enables Bluetooth on every iOS update.
I also don’t like the fact how the toggles work but yes apple has an interest in bluetooth/wifi beeing always on - the apple watch for example. Not so tech savvy people would disable bluetooth/wifi not realizing that this also disconnects the watch. There are probably way more features in the apple ecosystem relying on bluetooth/wifi
The Watch has a number of integrations which depend on Bluetooth - it uses less power and most people do not live with continuous perfect Wi-Fi coverage.
> Location Services uses GPS and Bluetooth (where those are available) along with crowd-sourced Wi-Fi hotspot and cell tower locations to determine your device’s approximate location.
> If Location Services is on, your iPhone will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers (where supported by a device) in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations.
> The crowd-sourced location data gathered by Apple does not personally identify you.
Fully disabling BT is a niche feature imo, for me the button does exactly what i want: disconnect bt devices. I still like airdrop to work etc.
So, I think this is exactly how it should be. If you for some reason want to fully disable BT, which is weird for avarage users, you need to put it some effort
I don't use an iPhone, so does the option say 'disconnect' or 'disable'. On Android the switch says Bluetooth On/Off. I would expect this setting to turn off completely Bluetooth if set to off. Not some oh, it's off but not really off if you get what I mean setting.
iOS has both. The one in the control panel says it’s disconnecting Bluetooth devices until the next day. Airplane mode and the toggle in the settings app fully turn it off.
It’s interesting, but the whole point of BLE was supposed to be interoperability.
The original concept was that there would a standard set of published profiles defining services and characteristics.
As a hardware manufacturer you could build a device that matched these profiles and then you would advertise your services to anyone nearby.
Software developers would code against these profiles services and characteristics and be able to use any matching hardware.
It’s kind of worked for some things. But mostly everyone wants to keep people in their own ecosystem - so you end up with either crappy hardware and or crappy software that you are locked into.
I do a lot of BLE reverse engineering and this pisses me off endlessly. The only place I find standard characteristics are some sensors and the occasional light switch. The VAST majority of devices are doing custom protocols over RX/TX characteristics, with the occasional "BLE Mesh" being thrown in, I'm guessing just to drain my will to live.
58 comments
[ 2.7 ms ] story [ 105 ms ] threadJust using the default iBeacon structure - you could have a hash tucked into the major/minor bytes (4 bytes tot) which would correspond to a value blasted out by Avahi on the network the AppleTV is connected to. You could also just blast out a list of valid iBeacon UUID'a out in the same way.
Requiring your phone be on wifi and be on the same network at the AppleTV would allow for that.
You could even, for example have a ATV device trying to connect require an AppleID and a network connection which could cause a valid iBeacon UUID be seeded to the mobile devices attached to that account.
That all said, There does appear to be a handshake before data is sent, because at that point is no longer a BLE iBeacon being used to send the data, you would need to connect to the device - which would involve either pairing or a handshake. So this appears to just be a nuisance attack, rather than a actual attack.
https://support.apple.com/en-us/HT204234
>Turning on Airplane Mode, turns off all radios except for Bluetooth. If you turn off Bluetooth while you're in Airplane Mode, your device will remember that and will turn off Bluetooth the next time that you turn on AirPlane Mode.
> If Bluetooth is ON on your Apple device everyone nearby can understand current status of your device, get info about battery, device name, Wi-Fi status, buffer availability, OS version and even get your mobile phone number.
2019, https://www.idownloadblog.com/2019/11/12/airplay-tvs-tutoria... & https://old.reddit.com/r/ios/comments/nlsf0z/how_to_prevent_...
> AirPlay can automatically play video on nearby TVs, but that’s not always the behavior you might want. Learn how to stop your iPhone, iPad or iPod touch from automatically playing video on any frequently used AirPlay TVs in your household.
Perhaps I should have written "problem" with quotes. The control center does what most people think they want. It used to be that when you enabled airplane mode on your watch it set it for your phone too, but you had to get out out of airplane mode on each device. Makes sense to me, but apparently not to everyone, so I was amazed when disabling airplane mode on your watch did the same on the phone. At least it highlights the absurdity of airplane mode.
Apart from my own belief that "no means no" when it refers to radios in my devices, I'm also disappointed in the other data that are shared. The phone number, for example, AFAICT is used for joining secured wifi: if you join a network, everybody around you who's connected to that network is asked if they would like to share the password with you (you don't even see it). A handy feature, but not one implemented in a privacy-protecting way (shame on you, Apple!)
This might be surprising, but it makes sense to me. If your device is in "airplane mode" it should not transmit, but can still receive. So, a BLE message from your watch telling your phone to exit airplane mode can be received and acted on. Same with disabling enabling it on your watch until it knows it has set it for your phone/other devices.
I would expect disabling bluetooth (ignoring cc toggle lies) to work the way you describe though.
Until the EU mandates a "Radio Kill Snitch" in computing devices, the faraday bag industry rejoices.
UK: https://faradaybag.com
US: https://refugeprivacy.com
Yeah, Apple perhaps more than anyone else will look at "Airplane mode" not as "turn off all radios" but rather "put device into a state compliant with various aviation regulations".
Also UI interface of these features is super confusing.
The worst is when I try to share something over AirPlay and there is a bunch devices named like iPhone (3) and iPad (2) and as I figure out which one I want to share with it discovers another device and as I click the icons shift and I no longer know whom I shared a file with.
https://www.ebay.com/itm/195922683631?
I had to create a shortcut to turn off Bluetooth so I don’t have to go through the Settings app.
Apple also re-enables Bluetooth on every iOS update.
> Location Services uses GPS and Bluetooth (where those are available) along with crowd-sourced Wi-Fi hotspot and cell tower locations to determine your device’s approximate location.
> If Location Services is on, your iPhone will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers (where supported by a device) in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations.
> The crowd-sourced location data gathered by Apple does not personally identify you.
So, I think this is exactly how it should be. If you for some reason want to fully disable BT, which is weird for avarage users, you need to put it some effort
Do you think more people would be surprised if hitting that button disconnected their Apple Watch, or left it connected?
The original concept was that there would a standard set of published profiles defining services and characteristics.
As a hardware manufacturer you could build a device that matched these profiles and then you would advertise your services to anyone nearby.
Software developers would code against these profiles services and characteristics and be able to use any matching hardware.
It’s kind of worked for some things. But mostly everyone wants to keep people in their own ecosystem - so you end up with either crappy hardware and or crappy software that you are locked into.