Publications

Feel free to browse our academic publications and technical reports.

• Alexander Heinrich, Matthias Hollick, Thomas Schneider, Milan Stute, Christian Weinert. PrivateDrop: Practical Privacy-Preserving Authentication for Apple AirDrop. 30th USENIX Security Symposium (USENIX Security ’21), August 11–13, 2021, Virtual Event. Website Preprint
• Milan Stute, Alexander Heinrich, Jannik Lorenz, and Matthias Hollick. Disrupting Continuity of Apple’s Wireless Ecosystem Security: New Tracking, DoS, and MitM Attacks on iOS and macOS Through Bluetooth Low Energy, AWDL, and Wi-Fi. 30th USENIX Security Symposium (USENIX Security ’21), August 11–13, 2021, Virtual Event. Website Preprint
• Alexander Heinrich, Milan Stute, Tim Kornhuber, Matthias Hollick. Who Can Find My Devices? Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System. Proceedings on Privacy Enhancing Technologies (PoPETs), July 12–16, 2021, Virtual Event. doi:10.2478/popets-2021-0045 Paper Preprint
• Alexander Heinrich, Milan Stute, and Matthias Hollick. DEMO: OpenHaystack: A Framework for Tracking Personal Bluetooth Devices via Apple’s Massive Find My Network. 14th ACM Conference on Security and Privacy in Wireless and Mobile (WiSec ’21), June 28–July 2, 2021, Virtual Event. Best Demo Award. doi:10.1145/3448300.3468251 PDF Teaser
• Alexander Heinrich, Matthias Hollick, Thomas Schneider, Milan Stute, Christian Weinert. DEMO: AirCollect: Efficiently Recovering Hashed Phone Numbers Leaked via Apple AirDrop. 14th ACM Conference on Security and Privacy in Wireless and Mobile (WiSec ’21), June 28–July 2, 2021, Virtual Event. doi:10.1145/3448300.3468252 PDF Teaser
• Alexander Heinrich, Milan Stute, and Matthias Hollick. DEMO: BTLEmap: Nmap for Bluetooth Low Energy. 13th ACM Conference on Security and Privacy in Wireless and Mobile (WiSec ’20), July 8–10, 2020, Virtual Event. Best Demo Award. doi:10.1145/3395351.3401796 Website PDF Talk
• Milan Stute. Availability by Design: Practical Denial-of-Service-Resilient Distributed Wireless Networks. Dissertation, Technical University of Darmstadt, February 14, 2020. doi:10.25534/tuprints-00011457 PDF
• Milan Stute, Sashank Narain, Alex Mariotto, Alexander Heinrich, David Kreitschmann, Guevara Noubir, and Matthias Hollick. A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link. 28th USENIX Security Symposium (USENIX Security ’19), August 14–16, 2019, Santa Clara, CA, USA. Website PDF Talk
• Milan Stute, David Kreitschmann, and Matthias Hollick. Reverse Engineering and Evaluating the Apple Wireless Direct Link Protocol. GetMobile: Mobile Computing and Communications, 23(1), March 2019. ACM. doi:10.1145/3351422.3351432
• Milan Stute, David Kreitschmann, and Matthias Hollick. One Billion Apples’ Secret Sauce: Recipe for the Apple Wireless Direct Link Ad hoc Protocol. The 24th Annual International Conference on Mobile Computing and Networking (MobiCom ’18), October 29–November 2, 2018, New Delhi, India. ACM. Best Community Paper Award. doi:10.1145/3241539.3241566 PDF Teaser Talk
• Milan Stute, David Kreitschmann, and Matthias Hollick. Demo: Linux Goes Apple Picking: Cross-Platform Ad hoc Communication with Apple Wireless Direct Link. The 24th Annual International Conference on Mobile Computing and Networking (MobiCom ’18), October 29–November 2, 2018, New Delhi, India. ACM. Best Demo Award. doi:10.1145/3241539.3267716 PDF
• David Kreitschmann. User Manual for the Apple CoreCapture Framework. arXiv:1808.07353, 2018. PDF

So far, our work resulted in the disclosure of the following security vulnerabilities (CVE entries):

• CVE-2017-13886 fixed in macOS 10.13.2. Impact: An unprivileged user may change WiFi system parameters leading to denial of service.
• CVE-2018-4368 fixed in iOS 12.1, macOS 10.14.1, tvOS 12.1, and watchOS 5.1. Impact: An attacker in a privileged position may be able to perform a denial of service attack.
• NO-CVE-2019-1 fixed in iOS 12.2, macOS 10.14.4, tvOS 12.2, and watchOS 5.2. (No CVE, but mentioned in additional acknowledgments.) Impact: An attacker may wirelessly activate AWDL interfaces in proximity by sending BLE advertisements.
• CVE-2019-8567 fixed in iOS 12.2 and macOS 10.14.4. Impact: A device may be passively tracked by its WiFi MAC address.
• CVE-2019-8612 fixed in iOS 12.3, macOS 10.14.5, tvOS 12.3, and watchOS 5.2.1. Impact: An attacker in a privileged network position can modify driver state.
• CVE-2019-8620 fixed in iOS 12.3, macOS 10.14.5, tvOS 12.3, and watchOS 5.2.1. Impact: A device may be passively tracked by its WiFi MAC address.
• NO-CVE-2019-2 fixed in iOS 13.1 and iPadOS 13.1. (No CVE, but mentioned in additional acknowledgments.) Impact: An AirDrop user may be tricked into sending files to an attacker.
• CVE-2019-8799 fixed in iOS 13.1 and iPadOS 13.1, macOS 10.15, tvOS 13, and watchOS 6. Impact: An attacker in physical proximity may be able to passively observe device names in AWDL communications.
• CVE-2019-8787 fixed in iOS 13.2 and iPadOS 13.2, macOS 10.15.1, tvOS 13.2, and watchOS 6.1. Impact: A remote attacker may be able to leak memory.
• CVE-2020-9986 fixed in macOS 10.15.7. Impact: A malicious application may be able to read sensitive location information.

If our project helps you to produce a publication which includes a bibliography, we appreciate it if you cite this project and the relevant papers. Find all references in our bibtex file. Here is the reference for the project only:

@electronic{owl:project,
	author = {Stute, Milan and Kreitschmann, David and Hollick, Matthias},
	title = {The Open Wireless Link Project},
	url = {https://owlink.org},
	year = {2018},
}