Pierluigi Paganini
August 21, 2023
At the recent Def Con hacking conference, white hat hackers demonstrated how to spoof an Apple device and trick users into sharing their sensitive data.
As reported by Techcrunch, attendees at the conference using iPhones started observing pop-up messages prompting them to connect their Apple ID or share a password with a nearby Apple TV.
Friendly remember to be careful at #Defcon I keep getting these alerts pic.twitter.com/ygUiCCJQmb
— Jaime Blasco (@jaimeblascob) August 10, 2023
The security researcher who goes by Jae Bochs said on Mastodon that the messages were part of their research project.
“Also to offer some reassurance: this was built with two purposes – to remind people to *really shut off* Bluetooth (I.e. not from control center) and to have a laugh.” explained Bochs.
He added that no data was collected and that he was just sending out Bluetooth low energy (BLE) advertisement packets that don’t require pairing.
Bochs used cheap equipment composed of a Raspberry Pi Zero 2 W, two antennas, a Linux-compatible Bluetooth adapter, and a portable battery.
“Bochs estimated that this combination of hardware, excluding the battery, costs around $70 and has a range of 50 feet, or 15 meters.” reported TechCrunch.
“Proximity is determined by BLE signal strength, and it seems most devices intentionally use lowered transmit power for these to keep the range short. I don’t :),” Bochs told TechCrunch.
"each flaw leaks a small amount of information, but in aggregate they can be used to identify and track devices over long periods of time. That’s why, Bochs said, they think Apple won’t do anything about this"https://t.co/RQGmPwPBjZ
— Kim Zetter (@KimZetter) August 16, 2023
Bochs focused on “proximity actions,” which appear on an iPhone screen when two devices are close to each other.
He created a proof-of-concept to build a custom advertisement packet that mimics BLE signal emitted by devices such as the Apple TV. Basically, he spoofed an Apple device that tries to repeatedly connect to nearby devices and triggers the pop-ups.
In a real attack scenario, upon tapping and accepting the prompts it will allow threat actors to collect some data from the packets, including phone number, Apple ID email, and current Wi-Fi network.
Even if users tap on the Bluetooth icon, their iPhones will continue to receive proximity actions.
Bochs speculate that these flaws were “certainly by design” to allow smartwatches and headphones to keep working with Bluetooth toggled and Apple won’t address them.
The expert recommends turning Bluetooth off in the device settings to protect the device.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, iPhone)
