This $70 device can spoof an Apple device and trick you into sharing your password
Attendees at Def Con, one of the world’s largest hacking conferences, are used to weird shenanigans, such as a seemingly innocuous wall of computer screens that display people’s passwords sniffed over the conference Wi-Fi network. But at this year’s event, even conference veterans were confused and concerned when their iPhones started showing pop-up messages prompting them to connect their Apple ID or share a password with a nearby Apple TV.
As it turned out, these alerts were part of a research project that had two goals.
One was to remind people that to switch off Bluetooth on an iPhone, you have to dig into the Settings app and not just tap it off on the quick-access Control Center, which is displayed by swiping down from the top right corner of the iPhone.
The other was “to have a laugh,” according to Jae Bochs, the security researcher who said they walked around the conference triggering these pop-ups with a custom-made device.
“I had it in my bag throughout linecon [an informal term that refers to the time spent in line at a conference], vendor areas, and when I was walking around. I tried to remember to disconnect it if I was hanging out for a talk,” Bochs said.
Bochs told TechCrunch that all they needed for this experiment was a contraption consisting of a Raspberry Pi Zero 2 W, two antennas, a Linux-compatible Bluetooth adapter, and a portable battery.
Bochs estimated that this combination of hardware, excluding the battery, costs around $70 and has a range of 50 feet, or 15 meters.
They explained that Apple’s protocols for Bluetooth low energy, or BLE, allow the company devices to communicate with each other. Bochs said that they focused on “proximity actions,” which appear on an iPhone screen when Apple devices are close to each other.
“Proximity is determined by BLE signal strength, and it seems most devices intentionally use lowered transmit power for these to keep the range short. I don’t :),” Bochs said.
Bochs also said they created a proof-of-concept that “builds a custom advertisement packet that mimics what Apple TV etc. are constantly emitting at low power,” effectively spoofing an Apple device that tries to repeatedly connect to nearby devices and triggers the pop-ups.
Unlike real Apple devices, his contraption wasn’t programmed to collect any data from nearby iPhones, even if the person tapped and accepted the prompts. But, in theory, they could have collected some data, according to Bochs.
“If a user were to interact with the prompts, and if the other end was set up to respond convincingly, I think you could get the ‘victim’ to transfer a password,” Bochs said. “There’s an issue known for a few years where you can retrieve phone number, Apple ID email, and current Wi-Fi network from the packets.”
The researcher said these issues are already known, at least since a 2019 academic paper that studied Apple’s Bluetooth low energy protocol and concluded that there are “several flaws” that “leak device and behavioral data to nearby listeners.”
“Individually, each flaw leaks a small amount of information, but in aggregate they can be used to identify and track devices over long periods of time,” the researchers wrote in the paper.
That’s why, Bochs said, they think Apple won’t do anything about this.
“Most or all of this is certainly by design, so that watches and headphones keep working with Bluetooth toggled,” they said.
Perhaps, they added, Apple could add a warning message when using the Control Panel toggles that alerts the user that tapping on its Bluetooth icon doesn’t completely shut off Bluetooth and their iPhone can still interact with proximity-activated beacons, such as Bochs’ contraption.
By turning Bluetooth off in the settings, an iPhone user would be safe from devices like theirs, Bochs explained.
Apple did not respond to a request for comment.
Apple will never do that because if enough people disable Bluetooth on their iOS devices, it'll reduce the effectiveness of Apple's Find My network.
I have little doubt that apple still uses things like wi-fi and bluetooth even if they are completely turned off. I complained when they made the change to the control panel. If I want bluetooth or wifi off, no button I push should turn it off partially or for "24 hours."
Well yeah, they’re pretty open about that.
It’s still running in low power mode when you turn the phone itself off so that I can still ping the Find My network. And it says this when you go to turn the phone off.
"They're pretty open about that" doesn't quite cut it, when I've seen examples in this lemmy post alone of people discovering the fact. We need removable batteries.
A removable battery wouldn’t do anything about it. They would just include a little unremovable CMOS battery that would be used to power the Bluetooth while the device is off or the main battery is removed.
The entire point of it is so that you can use Find My when the phone is off. If it’s lost, or stolen and they turn the phone off, it can still be found in Find My.
It’s not just that. When connected to an Apple Watch or Apple Pencil (for iPad) the quick toggle maintains these connections along with maintaining handoff and continuity functions between personal devices among other things. In these cases, I think having the quick toggle not fully disable Bluetooth makes more sense to prevent new connections while keeping the existing Watch and Pencil Bluetooth connections active to preserve functionality. Of course, I get that not everyone’s use case is the same, but I rarely need to fully disable the wireless radios. Particularly with Wi-Fi, I use the quick toggle to temporarily disconnect Wi-Fi if I’m on a bad connection away from home. When I return home or to my car (for wireless CarPlay), my phone will reconnect to the respective networks without me needing to remember to re-enable.
Yeah if you go to DEFCON keep your phone off lmao
Half the fun is seeing how people try to fuck with you, and fucking with them back. Burner phone, though, never a real connection that you care about.
And once again, the weakest link in the security chain are humans…
Which humans are you blaming exactly?
I don't think it's fair to blame the users. They toggle bluetooth off and think it's off. How are they supposed to know "Bluetooth Off" means "Only some amount of Bluetooth is off"?
And I don't think designing a convincing phishing device is that much of a leap in logic. Bluetooth is off, so maybe the notification is legit from apple and needs authority for a connection?
If you blame the designers who left a backdoor in the bluetooth, then yea that's fair.
When bluetooth is on, the icon is blue. When connecting is off, the icon is white. When bluetooth is fully off, the icon is grey. The same goes for wifi. It even gives you a
.
That's not new.
Thanks, I never used an Apple Product, so I didn't have the contextual infromation!
To me it sounded like a binary state (on/off), as I know it from most phones I've seen.
I still think it's unfair to blame the user. Apple design is not as consistent or as intuitive as touted. Their UI still has lots of hidden features, inconsistent behavior and strange decisions.
Just had to use my wife's iphone and felt like a moron trying to navigate it.
I don't know the gestures, the last iOS device I supported still had that center home button.
It wasn’t always like this. It started somewhere around the iPhone X I think. It used to actually turn off wifi/bt in the menu.
Before the iOS overhaul, you went Settings>Bluetooth>Toggle to turn off BT. That still works like it did before. But what most people do now is just swipe from the top-right and tap the shortcut.
Yea the control center used to turn them off. Apple changed it to “disconnect until tomorrow” in iOS 11. So iOS 7-10 it functioned fine.
I don’t know if it turns itself black on (blue) when something is trying to connect.
I was indeed blaming the end users. Yes, the bluetooth off thing on apple devices is super annoying and I don’t know why they still force it…
Form my understanding, this falls into the same category as phishing SMS or mails. You as a user need to know if this is legit or not.
The target audience for this are not people here on lemmy… it’s our parents, grandparents and more in generally people who are not tach savvy… and/or just don’t care.
This is why we need to make people aware of this and teach them how to respond, basically not to click on everything you see. I’m still doing this in my family and I’m very proud of my 80 year old grandma, that dodged a few very convincing scams. :)
And haha, I never thought of backdoors, but yes, they are also produced by humans.
A promiscuous bluetooth connector is not a user problem other than their response to it. Why is it happening in the first place?
I'd like to test this.