Security and privacy vulnerabilities

When your Apple device allows file stealing, reveals first name and blacks out

16.05.2019

International research team discovers security and privacy vulnerabilities in Apple’s iOS and macOS. The researchers strongly recommend users of Apple devices to install updates.

Picture: Daniela Fleckenstein

Jessica wants to check-in electronically to her flight to New York. But the screen of her iPhone stays black while the phone enters an endless reboot cycle. And she is not alone: all Apple users in proximity suffer the same fate. Worse, she does not even suspect that during her previous stay in the airport lounge an attacker was able to steal holiday photos and a company presentation she was transferring from her phone to her MacBook, track her position and associate her first name with a unique device ID.

These vulnerabilities were discovered by researchers of TU Darmstadt, Germany and Northeastern University, Boston, USA. The team has been actively working with Apple Product Security to mitigate the vulnerabilities: the just released iOS 12.3 and macOS 10.14.5 updates contain security fixes that the researchers strongly recommend users of Apple devices to install.

More than one billion devices from the Apple ecosystem were affected, since the problem stems from a core operating system feature present in both iOS and macOS: a proprietary and mostly undocumented wireless protocol called Apple Wireless Direct Link (AWDL). Several security and privacy vulnerabilities enabled an attacker to abuse AWDL to track mobile users, crash their devices, prevent communication, and intercept sensitive files transmitted via AirDrop.

The research team found out that it was possible to track users as AWDL leaks a unique device identifier and even announces the device name in the clear, which, in many cases, contains the users’ first name. Milan Stute, researcher at TU Darmstadt and the National Research Center for Applied Cybersecurity CRISP, explains the research process: “We started to investigate Apple’s wireless ecosystem in 2017 to understand AWDL and the surrounding services. In addition to the aforementioned privacy issues, we uncovered a number of security vulnerabilities”.

Released as open source software

The team found out how to intercept files transmitted via AirDrop, an Apple service that builds upon AWDL. They exploit a UI design issue in combination with a protocol downgrade attack to gain a privileged so-called “man-in-the-middle” position. A video demonstrating an attacker that modifies a file in transit is available on YouTube.

As part of their work, the researchers first reverse engineered and then implemented their own versions of AWDL and AirDrop, which they release as open source software. The research paper will be presented at the USENIX Security Symposium 2019, a renowned security conference.

Prof. Matthias Hollick, research group head at TU Darmstadt and the National Research Center for Applied Cybersecurity CRISP, summarizes:

“Apple is one of the few big tech companies that puts very strong emphasis on the privacy and security of its users and the simplicity of its products, and I would love to see other vendors following suit. It is a bit ironic that Apple used a proprietary and overly complex protocol to realize those simple and elegant application features. Again, complexity came at the expense of security. To change this, we as a community should strive to go for simplicity as well as openness also ‘under the hood’ of complex IT ecosystems.”

Prof. Matthias Hollick. Picture: Katrin Binner
Prof. Matthias Hollick. Picture: Katrin Binner

Affiliated Scientific Publication:

Milan Stute, Sashank Narain, Alex Mariotto, Alexander Heinrich, David Kreitschmann, Guevara Noubir, and Matthias Hollick. “A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link” in USENIX Security '19.

The Technische Universität Darmstadt and the National Research Center for Applied Cybersecurity CRISP make the City of Science Darmstadt one of the most important locations for cybersecurity research worldwide. More than 450 scientists are carrying out research and development in CRISP on important cybersecurity issues and questions to the direct benefit of society, business and government.

CRISP is an institution of the Fraunhofer-Gesellschaft for its two Darmstadt-based institutes SIT and IGD, in cooperation with Technische Universität Darmstadt and Darmstadt University of Applied Sciences. CRISP is funded by the Federal Ministry for Education and Research and the Hessian Ministry for Science and Art.