You can upload data even if you are disconnected! Apple users can do it again|Open Source

In 2019, the Find My feature is live on Apple systems.

This feature allows Apple users’ peripherals to be found by other Apple devices nearby even when they are disconnected or have their GPS turned off.

This way, when you track and locate your own device, you can call out to other Apple devices nearby to upload their own location information.

You can upload data even if you are disconnected! Apple users can do it again|Open Source

The basic principle is similar to shaking someone to help you when you are in trouble, in short, it is to highlight a “we for everyone, everyone for me”.

But that’s how some users still say: How can we just Find My, how can we help Send My?

Today, let’s take a look at Send My, an application developed by Positive Security, a research team from Berlin, which can upload data even when offline and without Internet access.

The “opportunity to exploit” the lookup function

Let’s take a look at how the lookup system works.

First, when an Apple device user connects their Apple device to another peripheral via the Find My app, a key pair is negotiated.

The Find My app keeps the private and public keys, and the peripheral keeps the public key.

The peripheral at this point is the equivalent of a BLE beacon (Bluetooth Low Energy Broadcast) that continuously broadcasts a changing key derived from the public key.

The surrounding Apple devices, upon detection, package this key with their own location information and upload it together to the Apple servers.

Eventually, the initial Apple device downloads this package of information from the server and decrypts it with the key saved on its own device app to get the specific location data.

You can upload data even if you are disconnected! Apple users can do it again|Open Source

Noticed? There is a data upload step in the above process.

If we can mix in the data we want to upload, we can potentially hitch a ride on the Find My offline network mechanism and upload it all together.

The uploaded data is the key + location report.

Where the location report can only be decrypted with the correct private key (stored on the owner’s device) and cannot be brute-force cracked.

Then, the breakthrough point lies in the key derived from the public key.

“Leaking” the data in

The research team devised a Data Exfiltration protocol that

Set an arbitrary bit in the public key and broadcast it in a continuous loop until a complete message is sent. When both the sender and receiver recognize the same encoding scheme, the data can be successfully transmitted.

When a specific bit of data is sent, a 28-byte array with the structure [4b bit index] [4b message ID] [4b modem ID] [padding 0s…] [bit value] is created.

Then a modem is created to receive a message and send it cyclically through the serial interface.

You can upload data even if you are disconnected! Apple users can do it again|Open Source

△ Encodes bits of information into a broadcastable payload
The research team used the low-cost, low-power ESP32 as the transmitting firmware.

This single-chip microcontroller with integrated Wi-Fi and dual-mode Bluetooth can quickly change its Bluetooth MAC address.

A hardware-encoded default message is broadcast at startup, then listened to on the serial interface and broadcast cyclically until a new message is received.

You can upload data even if you are disconnected! Apple users can do it again|Open Source

When fetching data, the receiver program generates 28 bytes of data with the same structure.

You can upload data even if you are disconnected! Apple users can do it again|Open Source

△ Retrieves previously sent data from an Internet-connected macOS device. Development of the application
The Send My app is based on OpenHaystack and was developed by researchers at the Technical University of Darmstadt as a somewhat hacked reverse engineering effort.

OpenHaystack was open sourced in March of this year, before Apple had opened the Find My application to third-party accessory manufacturers.

But at this point, users can already use OpenHaystack to customize the accessories that can be tracked by Find My.

You can upload data even if you are disconnected! Apple users can do it again|Open Source

In reference to OpenHaystack, Send My uses the same AppleMail plugin trick to send a location retrieval request to the Apple backend.

This prompts the user to enter a 4-digit modem ID, which can be set when the ESP firmware is flashed.

After that, the application can automatically retrieve, decode and display the information with ID 0

Test it.

After successfully equipping the hardware and the application, the research team conducted the first test: receiving 32-bit messages.

After a few minutes, 23 of the bits of information arrived successfully.

The research team guessed that the remaining 9 bits of the generated public key might have been rejected by a nearby Apple device as an invalid public key.

In response, they decided to check whether the EC point it represented was actually valid for the curve it was using before broadcasting a payload (payloads).

If not, the counter is incremented until a valid public key is found.

You can upload data even if you are disconnected! Apple users can do it again|Open Source

△ This process can be performed offline by the location retrieval program before asking for the key ID
Send My is currently sending at a rate of about 3 bytes per second.

You can upload data even if you are disconnected! Apple users can do it again|Open Source

Depending on the number of devices around and other random factors, there may be a delay of 1 minute to 1 hour.

You can upload data even if you are disconnected! Apple users can do it again|Open Source

△ Delay distribution between public key broadcast and the corresponding location report being uploaded
“It’s hard for Apple to ban this kind of application.”

The research team said at the end.

Because Find My system simply cannot read the unencrypted location information, it does not know that the public key belongs to it, and it does not know the connection between the location information and the public key.

If the abuse of such hacked OpenHaystack-based applications is to be prohibited, then perhaps the security of Find My should be reconsidered.

For example, strengthen the authentication of BLE broadcasts, or limit the retrieval rate of location reports.

Team Introduction

Positive Security is an IT security consulting and research company from Berlin, Germany that provides cybersecurity support services.

You can upload data even if you are disconnected! Apple users can do it again|Open Source

There are two founders. Fabian graduated from the University of Potsdam and lukas from the Karlsruhe Institute of Technology, both of whom worked for the German security research laboratory SRLabs.

You can upload data even if you are disconnected! Apple users can do it again|Open Source

Reference link.

Application Download.

Team official website.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/you-can-upload-data-even-if-you-are-disconnected-apple-users-can-do-it-again%ef%bd%9copen-source/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-06-05 03:39
Next 2021-06-05 03:50

Related articles