>
Attendees at the DefCon hacking conference in Las Vegas last weekend kept getting mysterious prompts on their iPhones asking them to connect to a phantom Apple TV that was nowhere to be seen.
Turns out the messages — which looked like a nearby Apple TV seeking approval to sync to users’ Apple ID or their password-protected accounts — were actually from a $70 homemade transmitter designed to cheating Apple’s Bluetooth security.
Some of the software security experts targeted by the prank at the conference said they felt “taken advantage of,” while others thought it was “hilarious” but “annoying.”
The perpetrator, a fellow DefCon attendee, has come forward to explain their intent: to draw attention to a serious vulnerability that they hope Apple will correct.
“If a user responds to the prompts and if the other end is set up to respond convincingly, I think you can have the ‘victim’ hand over a password,” said the joker, a security researcher known as Jae Bochs. on social media.
Until Apple corrects the vulnerability, Bochs says the best course of action for iPhone users, or any Apple product user for that matter, is to exercise caution when relying on the “Control Center” feature on any device running iOS.
Participants in the DefCon 2023 hacking conference kept getting mysterious clues on their iPhones. The messages, which looked like a nearby Apple TV seeking approval to sync to their password-protected accounts, actually came from a $70 makeshift sender (above)
Some of the software security experts targeted by the prank said they felt “taken advantage of,” while others thought it was “hilarious” but “annoying.” The perpetrators hoped to expose a vulnerability that they hope Apple will correct. Above, people attend DefCon 2011 in Las Vegas
For their part, Bochs was unrepentant, writing on the decentralized social media platform Mastodon, “Glad I could add a little innocent WTF to everyone’s day.”
“Just to put your mind at ease,” Bochs also posted“this was built with two purposes – to remind people to *really turn off* Bluetooth (i.e. not from the control center) and to have a laugh.”
To completely disable Bluetooth on an iPhone, iPad, or MacBook, Apple users can’t trust the seemingly handy toggle on Control Center, iOS’s quick-access panel available to users with a simple swipe.
Instead, users have to go into their settings and look for the full Bluetooth menu to really block their device from contacting other nearby Bluetooth devices, such as the hacker’s counterfeit Apple TV.
Bochs told TechCrunch they built the device from a ready-made device Raspberry Pi Zero 2 W, a portable battery, two antennas and a Linux-compatible Bluetooth adapter.
The total cost, Bochs estimated, was about $70.
At the heart of the hack, Bochs explains, is lax security coded into Apple’s current protocols for Bluetooth low energy, or BLE, which allows any Apple device to connect via Bluetooth to other Apple devices nearby.
Apple describes this as “proximity actions” because the intent is to add convenience to users trying to sync nearby devices, such as two friends with iPhones at a bar or an iPhone user trying their Apple TV or wireless speakers at home to serve.
“Proximity is determined by the BLE signal strength, and most devices deliberately use reduced transmit power to keep the range short,” said Bochs, adding, “I don’t :)”
The range for Bochs’ $70 makeshift fake Apple TV has been extended to 50 feet, enough room to ensnare unsuspecting DefCon attendees queuing for events around the convention center.
Usually it is BLE signal range for an iPhone about 33 feetand for an Apple TV box that number could be much lower.
The device “builds a custom ad package that mimics what Apple TV etc constantly broadcasts at low power,” the security researcher told TechCrunch. This allows it to pose as one Apple device and trigger popups on nearby devices.
“No data is collected,” said Bochs, “it just sends out BLE ad packages that don’t require a link.”
In theory, however, a similar device could maliciously collect user personal data — and given growing concerns about the iPhone’s forthcoming NameDrop feature, Bochs hopes to have a new proof of concept design that addresses NameDrop’s vulnerabilities in time for the Next year’s DefCon will investigate. .
Announced for Apple’s iOS 17 update in September, NameDrop is a new feature that promises to streamline contact information sharing, making it as easy as tapping two iPhones together. But the added convenience comes with some risk.
“Hoping by the next DC that it works with the new iOS17 ‘NameDrop’ features, and possibly something similar for Android (certain models at least),” Bochs said. “Anyway, I’ll probably bring it up for discussion .’
DefCon 2023 attendees warned each other via X (formerly Twitter) about the fake Apple TV
DefCon, one of the largest annual hacker gatherings in the world, is no stranger to wild pranks, with some touting Bochs’ stunt as “some OG #DEFCON shenanigans.”
The conference, despite protests from attendees, is often one key reconnaissance site for government intelligence agencies, including the National Security Agency (NSA)who are looking for the best and brightest cybersecurity and penetration experts.
But some attendees this year expressed more confusion and concern about the Apple Bluetooth flaw, including Dan Guido, the CEO of security research firm Trail of Bits.
“I think (Bochs) abused a bunch of users when (they) should have filed (their) complaints with Apple,” Guido told TechCrunch.
But others, such as the security researcher for iOS applications that goes by the online name NinjaLikesCheezsaw it as part of DefCon’s grand tradition of teaching and exposing vulnerabilities through experience.
‘I think it’s hilarious. It was extremely annoying, but also reminded me that the control center is bad,” said the Netherlands-based coder.