A cheap Bluetooth transmitter can spoof some iPhone notifications

Posted:
in General Discussion

At Def Con 2023, some attendees were shown in real-time how a relatively cheap device leveraging Bluetooth flaws can force bogus notifications and potentially get the user to surrender sensitive data.

This cheap device can spoof an Apple TV
This cheap device can spoof an Apple TV



Walking around a conference dedicated to hacking devices and software typically means seeing all sorts of real world attacks, albeit in a specialized setting. And as some attendees discovered this year, it can also mean personal data is potentially up for grabs at any given moment.

Take, for example, a research project put together by Jae Bochs shows just how easy it is to take advantage of Apple's own utilization of Bluetooth Low Energy, or BLE, to try and nab a user's information. Bochs's project had a couple of purposes, the first being to remind folks that simply using Control Center to disable Bluetooth doesn't actually get the job done.

The second was to simply have a laugh as Bochs walked around the conference, stood in lines, and visited vendors. They did try to remember to turn their device off if they stopped to have a chat with someone, though, according to TechCrunch.

The device is a combination of several elements, like a Raspberry Pi Zero 2 W, a Linux-compatible Bluetooth adapter, a couple of antennas, and an external battery. All told, Bochs says it costs around $70, which means a relatively inexpensive device can quickly cause some specific havoc on Apple devices within 50 feet.





It comes down to communication between devices, which at this point Apple relies heavily on for its ecosystem. By tapping BLE, devices like iPhones can talk to one another when they get within a set range, which can then prompt "proximity actions."

The device causes these actions, so as Bochs walked around the conference he was able to send a prompt to nearby iPhones asking them to auto-fill their password into a nearby Apple TV. Despite the fact there wasn't an Apple TV near them.

Luckily, Bochs's device wasn't built to attain any personal information, even if someone did tap on the prompt and insert their password for some reason. However, he does say there is a possibility where that could happen.

"If a user were to interact with the prompts, and if the other end was set up to respond convincingly, I think you could get the victim' to transfer a password. There's an issue known for a few years where you can retrieve phone number, Apple ID email, and current Wi-Fi network from the packets."



Apple is aware of the issue, and has been since 2019. However, Bochs does not expect the company to do anything about it because so little information can be shared through this process, and it's an integral feature to the Apple ecosystem as a whole.

Bochs does suggest Apple could offer a better prompt for users, letting them know what's happening when they tap the Bluetooth icon in Control Center.

How to protect yourself from this kind of attack



This is all about situational awareness. Bluetooth isn't known for being particularly great for security purposes, but in this particular situation it comes down to knowing your environment.

As Bochs notes, this particular moment is for the laughs, because it's an Apple TV prompting for a password at a hacker convention. It's obviously not any one person's personal Apple TV, so if you see this or similar while out, obviously don't input your password.

However, out in the real world a similar prompt could pop up, which means the individual needs to be aware what personal devices are being carried, like an AirTag or pair of AirPods Pro. If a random device starts prompting you for a password, the safe bet is to ignore it entirely, especially if you don't recognize it.

As a reminder, the only way to fully disable Bluetooth or Wi-Fi is to do so in the Settings app.

Read on AppleInsider

Comments

  • Reply 1 of 7
    mayflymayfly Posts: 385member
    Your best defense against a shark attack: Stay outta the damn water!
    Your best defense against hacking: same!
    baconstangAlex1Nwatto_cobra
  • Reply 2 of 7
    auxioauxio Posts: 2,727member
    mayfly said:
    Your best defense against a shark attack: Stay outta the damn water!
    Your best defense against hacking: same!
    Short of turning off all the antennas on your phone (rendering it useless), it's not an option to stay out of the water. Your phone is always connected to the internet and prone to attacks. This particular one requires close proximity due to use of Bluetooth, but not all do.

    Best defence is to keep your phone updated and not give out personal information unless you're sure about who's asking for it (common sense).
    ihatescreennamesXedFileMakerFellermuthuk_vanalingamlam92103mayflyAlex1Nwatto_cobra
  • Reply 3 of 7
    baconstangbaconstang Posts: 1,105member
    Since I don't use ear buds, it's easy for me to keep BT off unless I need it, which isn't very often.
    Alex1Nwatto_cobra
  • Reply 4 of 7

    Walking around a conference dedicated to hacking devices and software typically means seeing all sorts of real world attacks, albeit in a specialized setting. And as some attendees discovered this year, it can also mean personal data is potentially up for grabs at any given moment.

    Given the nature of surveillance capitalism, you don't have to be attending a hacker conference for your personal data to be obtained without your knowledge by a nefarious adversary - it's already happened.
    Alex1Nwatto_cobra
  • Reply 5 of 7
    I wonder how many iPhone-toting attendees at such a conference were also wearing an Apple Watch? Disabling Bluetooth "breaks" a number of features, if the watch isn't connected to wifi.
    Alex1Nwatto_cobra
  • Reply 6 of 7
    mayflymayfly Posts: 385member
    auxio said:
    mayfly said:
    Your best defense against a shark attack: Stay outta the damn water!
    Your best defense against hacking: same!
    Short of turning off all the antennas on your phone (rendering it useless), it's not an option to stay out of the water. Your phone is always connected to the internet and prone to attacks. This particular one requires close proximity due to use of Bluetooth, but not all do.

    Best defence is to keep your phone updated and not give out personal information unless you're sure about who's asking for it (common sense).
    Those are good too!
    Alex1N
  • Reply 7 of 7
    Technically TCP/IP is easy to put a man-in-the-middle too, but that is why we build stuff on top of it to make it secure. This is just more difficult for devices because it is harder to protect the client certificates on them. If you can extract the client certificates from an Apple TV then you can pretend to be an Apple TV. This doesn't work for the web because you would need to break in to a data center to pretend to be a web server.

    Apple might have a plan to help mitigate these issues with the U1 chip, but it would need to be integrated everywhere. This can help ensure the device is actually really close before accepting a bluetooth connection on a new device. Devices that have already been joined for the first time can use techniques similar to the web to protect their connections. Alternatively NFC could be used for initial connections.
    edited August 2023 Alex1Nwatto_cobra
Sign In or Register to comment.