Open Wireless Link
Welcome to the Open Wireless Link (OWL) project. We are researchers from the Secure Mobile Networking Lab at TU Darmstadt looking into Apple’s wireless ecosystem. Our goal is to assess security and privacy as well as enable cross-platform compatibility for next-generation wireless applications. We started by investigating the Apple Wireless Direct Link (AWDL) protocol and will go beyond. You can read our publications and use our open source code projects. If you have questions or would like to collaborate, feel free to contact us.
Apple AirDrop allows users to send photos and other media over a direct Wi-Fi connection from one Apple device to another. As people typically want to share sensitive data exclusively with people they know, AirDrop only shows receiver devices from address book contacts by default. To determine whether the other party is a contact, AirDrop uses a mutual authentication mechanism that compares a user’s phone number and email address with entries in the other user’s address book. We discovered two severe privacy leaks in this authentication mechanism. In particular, we showed that it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. Read the full version on the project website.
Almost two years ago, Apple announced its new crowd-sourced Bluetooth location tracking system for offline devices. Meanwhile, Apple released a partial specification of its system. However, many components remained undisclosed – until now.
As part of our USENIX Security ’21 paper Disrupting Continuity of Apple’s Wireless Ecosystem Security: New Tracking, DoS, and MitM Attacks on iOS and macOS Through Bluetooth Low Energy, AWDL, and Wi-Fi, we reverse engineered Apple’s Wi-Fi Password Sharing. Our open source Python implementation OpenWifiPass is now available at GitHub.
We reverse-engineered and analyzed more parts of Apple’s wireless ecosystem (Continuity). The resulting paper Disrupting Continuity of Apple’s Wireless Ecosystem Security: New Tracking, DoS, and MitM Attacks on iOS and macOS Through Bluetooth Low Energy, AWDL, and Wi-Fi just got accepted at USENIX Security ’21. We’ll post updates once the paper is published.
Ian Beer of Google Project Zero has a cool writeup of a zero-click exploit that uses a vulnerability in the AWDL action frame parsing code. Thanks for crediting our efforts!
Our demo on BTLEmap: Nmap for Bluetooth Low Energy just received the Best Demo Award at ACM WiSec ’20. In short, BTLEmap allows you to view and inspect nearby Bluetooth Low Energy devices. The tool features a proximity view, a fingerprinting module, and a dissector for vendor-specific advertisements. The code is available on GitHub. Read the paper or watch the talk for a short walk-through.
In this article, we are going to get AirDrop running on a Raspberry Pi 3 (not B+, unfortunately) running Rasbian Stretch. While AirDrop itself implements a HTTP-based protocol (see OpenDrop), it uses a dedicated Wi-Fi based link layer called Apple Wireless Direct Link (AWDL). In order to use AirDrop, we’ll enable AWDL capabilities on the Raspberry Pi using OWL, our open AWDL implementation. OWL is implemented as user space program and requires a Wi-Fi card with working monitor mode and frame injection.
We conducted a security and privacy analysis on AWDL and AirDrop and are proud to announce that the resulting paper A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link was accepted at USENIX Security ’19. Read the paper and try out our AWDL and AirDrop implementations. See you in California in August!
The newest major Wireshark release (3.0.0) includes our dissector for Apple Wireless Direct Link (AWDL) based on our MobiCom’18 paper.
Today, we received the MobiCom ’18 Best Community Paper Award for our paper One Billion Apples’ Secret Sauce: Recipe for the Apple Wireless Direct Link Ad hoc Protocol. The award recognizes “intellectually exciting ideas, combined with a substantive contribution in computer code, experimental data, or other artifacts deemed useful to the research community at large.” In addition, we received the MobiCom ’18 Best Demo Award (one of two) for the accompanying demo Linux Goes Apple Picking: Cross-Platform Ad hoc Communication with Apple Wireless Direct Link. We thank the juries for the awards and hope that our work can be useful for others.
We have disclosed a vulnerability (CVE-2018-4368) to Apple that allowed us to crash iOS (and also macOS, tvOS, and watchOS) devices remotely via Wi-Fi. We demonstrate a working exploit which allows us to target a single device but also all devices in proximity in parallel. The exploit does not require any user interaction and, thus, might force a device into an indefinite boot loop. Apple has just released security updates for all of its operating systems which we recommend everyone to install.
Our demo paper Linux Goes Apple Picking: Cross-Platform Ad hoc Communication with Apple Wireless Direct Link was accepted at ACM MobiCom ’18. In the demo, we present a working prototype of AWDL for Linux-based systems. Read our paper here.
Our paper on reverse engineering and analyzing the Apple Wireless Direct Link (AWDL) ad hoc protocol One Billion Apples’ Secret Sauce: Recipe for the Apple Wireless Direct Link Ad hoc Protocol was accepted at ACM MobiCom ’18. Read our paper here. See you in New Delhi in October!
subscribe via RSS