Apple devices are leaking sensitive data over BLE
Discontinued Privacy: Personal Data Leaks in Apple Bluetooth-Low-Energy Continuity Protocols
We found that Apple devices are leaking sensitive information in the BLE wireless signals they emit. Those issues are associated with the Apple Continuity services and are affecting all Apple devices as well as devices compatible with the Continuity framework. Based on a reverse engineering of Continuity, we identified that the Bluetooth Low Energy (BLE) messages emitted by Apple devices include unencrypted data that can expose sensitive information. We discovered that those data can be easily collected by an eavesdropper and processed in order to: track users, monitor activities in a smarthome, obtain phone number, email addresses and Apple Voice Assistant, Siri, commands, and more.
In BLE, devices broadcast short messages, called Advertising Packets, to announce their presence and feature to nearby devices (those messages can be observed from an Android device using an application like Ramble). Advertising Packets can include the name of the device, its type, but can also include custom data in a field called Manufacturer specific. This field is typically used by vendors to transmit data for application. Apple make use of this field to include data for its Continuity Protocols.
Apple Continuity Protocols
Apple has developed a number of features, called Continuity, that are designed to increase the usability of its products. Those features include: activity transfert, file transfer (airDrop), Wi-Fi password sharing, etc. The communication between nearby devices, required by Continuity services, is done by using BLE. Continuity data are embedded in BLE advertising packets and are broadcast to be picked up by nearby devices.
Data exposed in cleartext
We found that, even though some elements are encrypted, most of the data included in Continuity messages is sent in plain text. The exposed data can thus be passively collected by an eavesdropper and exploited to mount one of the attack presented below.
Tracking users (iPhones, iPad, airpods …)
We found that the content of Apple Continuity BLE messages can be used to track the device despite the use address randomization. We have identified several elements that remain constant over time or that can undermine the anti-tracking feature mechanism (i.e. address randomization). For instance, we found that messages emitted by earpods include information (battery levels and lid open counter) that can be exploited to track the earpod set. We also discovered a novel attack that would allow tracking by actively replaying BLE messages. An passive attacker could exploit this information to track the the location of individuals in spite of address randomization, the anti-tracking feature of BLE.
Linking device belonging to the same iCloud account
We discovered that it is possible to link together devices associated to the same iCloud account. This attack relies on the replay of messages that will trigger a response only from devices associated to the same iCloud account. An attacker could exploit this to identify all the device belonging to a person, and could narrow down its home if some device are left there.
Monitoring activities in a smart home (Homekit)
We found that messages emitted by Homekit-compatible devices can betray the activity in a smart-home. Homekit is a smart-home framework developed by Apple and found in devices of Apple and other vendors (…). Homekit devices using BLE continuously emit messages that include an indicator reflecting the device state. For instance, in the case of a lightbulb, this indicator changes only when it is either turned on or turned off. Similarly, in an infrared movement detector, the indicator changes only when a person crosses the detection field. In-lab experiments showed that a passive attacker can leverage Homekit BLE messages to track the evolution of devices in a household and thus monitor the activities of the occupants.
Device model, software version and more
We found that a number of messages expose a wide variety of information on the emitting device characteristics and state: device model, OS version, device color, cellular connectivity, battery level, current activity etc.
E-mail address and Phone numbers (Airdrop & Nearby)
We found that when using features such as Airdop and Nearby, devices emit messages from which email addresses and phone numbers can be extracted. Continuity services allow to seamlessly share resources with nearby devices: Airdrop to share files, Nearby to share Wi-Fi network credential. Prior exchange of information, the devices establish their identity by exchange identifiers over BLE: email addresses and/or phone numbers. Those identifiers are not sent in clear but are rather hashed using a cryptographic hash-function. This obfuscation can be bypassed in most cases and the identifiers recovered.
Voice assistant commands (Siri)
We found that when activated via voice, the Siri voice assistant will generate a message including a digital fingerprint of the command. Although the raw audio signal cannot be reconstructed from it, the fingerprint could be leveraged to infer the command.
The vulnerabilities identified were reported to Apple, Osram and Eve on May 29 th , 2019