When your Apple device allows file stealing, reveals your first name and blacks out

Jessica wants to check-in electronically to her flight to New York. But the screen of her iPhone stays black while the phone enters an endless reboot cycle. And she is not alone: all Apple users in proximity suffer the same fate. Worse, she does not even suspect that during her previous stay in the airport lounge an attacker was able to steal holiday photos and a company presentation she was transferring from her phone to her MacBook, track her position and associate her first name with a unique device ID.

These vulnerabilities were discovered by researchers of TU Darmstadt, Germany and Northeastern University, Boston, USA. The team has been actively working with Apple Product Security to mitigate the vulnerabilities: the just released iOS 12.3 and macOS 10.14.5 updates contain security fixes that the researchers strongly recommend users of Apple devices to install.

More than one billion devices from the Apple ecosystem were affected, since the problem stems from a core operating system feature present in both iOS and macOS: a proprietary and mostly undocumented wireless protocol called Apple Wireless Direct Link (AWDL). Several security and privacy vulnerabilities enabled an attacker to abuse AWDL to track mobile users, crash their devices, prevent communication, and intercept sensitive files transmitted via AirDrop.

The research team found out that it was possible to track users as AWDL leaks a unique device identifier and even announces the device name in the clear, which, in many cases, contains the users’ first name. Milan Stute, researcher at TU Darmstadt and the National Research Center for Applied Cybersecurity CRISP, explains the research process: “We started to investigate Apple’s wireless ecosystem in 2017 to understand AWDL and the surrounding services. In addition to the aforementioned privacy issues, we uncovered a number of security vulnerabilities”. The team found out how to intercept files transmitted via AirDrop, an Apple service that builds upon AWDL. They exploit a UI design issue in combination with a protocol downgrade attack to gain a privileged so-called “man-in-the-middle” position. A video demonstrating an attacker that modifies a file in transit is available on YouTube.

As part of their work, the researchers first reverse engineered and then implemented their own versions of AWDL and AirDrop, which they release as open source software. The research paper will be presented at the USENIX Security Symposium 2019, a renowned security conference.

Prof. Matthias Hollick, research group head at TU Darmstadt and the National Research Center for Applied Cybersecurity CRISP, summarizes: “Apple is one of the few big tech companies that puts very strong emphasis on the privacy and security of its users and the simplicity of its products, and I would love to see other vendors following suit. It is a bit ironic that Apple used a proprietary and overly complex protocol to realize those simple and elegant application features. Again, complexity came at the expense of security. To change this, we as a community should strive to go for simplicity as well as openness also ‘under the hood’ of complex IT ecosystems.”

Affiliated Scientific Publication:

Milan Stute, Sashank Narain, Alex Mariotto, Alexander Heinrich, David Kreitschmann, Guevara Noubir, and Matthias Hollick. “A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link” in USENIX Security '19.