When your Apple device allows file stealing, reveals your first name and blacks out
An international research team with the participation of TU Darmstadt discovers security and privacy vulnerabilities in Apple’s iOS and macOS. Apple has now released updates.
Jessica wants to check-in electronically to her flight to New York. But the screen of her iPhone stays black while the phone enters an endless reboot cycle. And she is not alone: all Apple users in proximity suffer the same fate. Worse, she does not even suspect that during her previous stay in the airport lounge an attacker was able to steal holiday photos and a company presentation she was transferring from her phone to her MacBook, track her position and associate her first name with a unique device ID.
These vulnerabilities were discovered by researchers of TU Darmstadt, Germany and Northeastern University, Boston, USA. The team has been actively working with Apple Product Security to mitigate the vulnerabilities: the just released iOS 12.3 and macOS 10.14.5 updates contain security fixes that the researchers strongly recommend users of Apple devices to install.
More than one billion devices from the Apple ecosystem were affected, since the problem stems from a core operating system feature present in both iOS and macOS: a proprietary and mostly undocumented wireless protocol called Apple Wireless Direct Link (AWDL). Several security and privacy vulnerabilities enabled an attacker to abuse AWDL to track mobile users, crash their devices, prevent communication, and intercept sensitive files transmitted via AirDrop.
The research team found out that it was possible to track users as AWDL leaks a unique device identifier and even announces the device name in the clear, which, in many cases, contains the users’ first name. Milan Stute, researcher at TU Darmstadt and the National Research Center for Applied Cybersecurity CRISP, explains the research process: “We started to investigate Apple’s wireless ecosystem in 2017 to understand AWDL and the surrounding services. In addition to the aforementioned privacy issues, we uncovered a number of security vulnerabilities”. The team found out how to intercept files transmitted via AirDrop, an Apple service that builds upon AWDL. They exploit a UI design issue in combination with a protocol downgrade attack to gain a privileged so-called „man-in-the-middle“ position. A video demonstrating an attacker that modifies a file in transit is available on YouTube (https://youtu.be/5T7Qatoh0Vo).
As part of their work, the researchers first reverse engineered and then implemented their own versions of AWDL and AirDrop, which they release as open source software (https://owlink.org). The research paper will be presented at the USENIX Security Symposium 2019, a renowned security conference.
Prof. Matthias Hollick, research group head at TU Darmstadt and the National Research Center for Applied Cybersecurity CRISP, summarizes: “Apple is one of the few big tech companies that puts very strong emphasis on the privacy and security of its users and the simplicity of its products, and I would love to see other vendors following suit. It is a bit ironic that Apple used a proprietary and overly complex protocol to realize those simple and elegant application features. Again, complexity came at the expense of security. To change this, we as a community should strive to go for simplicity as well as openness also ‘under the hood’ of complex IT ecosystems.”
Affiliated Scientific Publication:
Milan Stute, Sashank Narain, Alex Mariotto, Alexander Heinrich, David Kreitschmann, Guevara Noubir, and Matthias Hollick. „A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link“ in USENIX Security ’19.
The Technische Universität Darmstadt and the National Research Center for Applied Cybersecurity CRISP make the City of Science Darmstadt one of the most important locations for cybersecurity research worldwide. More than 450 scientists are carrying out research and development in CRISP on important cybersecurity issues and questions to the direct benefit of society, business and government.
CRISP is an institution of the Fraunhofer-Gesellschaft for its two Darmstadt-based institutes SIT and IGD, in cooperation with Technische Universität Darmstadt and Darmstadt University of Applied Sciences. CRISP is funded by the Federal Ministry for Education and Research and the Hessian Ministry for Science and Art.
The Technische Universität (TU) Darmstadt is one of Germany’s leading technical universities. TU Darmstadt incorporates diverse science cultures to create its characteristic profile. The focus is set on engineering and natural sciences, which cooperate closely with outstanding humanities and social sciences. We are enjoying a worldwide reputation for excellent research in our highly-relevant, focused profile areas: cybersecurity, internet and digitalisation, nuclear physics, fluid dynamics and heat- and mass transfer, energy systems and new materials for product innovation. We dynamically develop our portfolio of research and teaching, innovation and transfer, in order to continue opening up important opportunities for the future of society. Our 312 professors, 4,450 scientific and administrative employees and close to 26,000 students devote their talents and best efforts to this goal. Together with Goethe University Frankfurt and Johannes Gutenberg University Mainz, TU Darmstadt has formed the strategic Rhine-Main Universities alliance.
MI-Nr. 33/2019, akbr
Contact for scientific information:
Milan Stute, firstname.lastname@example.org
Milan Stute, Sashank Narain, Alex Mariotto, Alexander Heinrich, David Kreitschmann, Guevara Noubir, and Matthias Hollick. "A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link" in USENIX Security '19.