Discontinued Privacy: Personal Data Leaks in Apple Bluetooth-Low-Energy Continuity Protocols

Open access

Abstract

Apple Continuity protocols are the underlying network component of Apple Continuity services which allow seamless nearby applications such as activity and file transfer, device pairing and sharing a network connection. Those protocols rely on Bluetooth Low Energy (BLE) to exchange information between devices: Apple Continuity messages are embedded in the pay-load of BLE advertisement packets that are periodically broadcasted by devices. Recently, Martin et al. identified [1] a number of privacy issues associated with Apple Continuity protocols; we show that this was just the tip of the iceberg and that Apple Continuity protocols leak a wide range of personal information.

In this work, we present a thorough reverse engineering of Apple Continuity protocols that we use to uncover a collection of privacy leaks. We introduce new artifacts, including identifiers, counters and battery levels, that can be used for passive tracking, and describe a novel active tracking attack based on Handoff messages. Beyond tracking issues, we shed light on severe privacy flaws. First, in addition to the trivial exposure of device characteristics and status, we found that HomeKit accessories betray human activities in a smarthome. Then, we demonstrate that AirDrop and Nearby Action protocols can be leveraged by passive observers to recover e-mail addresses and phone numbers of users. Finally, we exploit passive observations on the advertising traffic to infer Siri voice commands of a user.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Jeremy Martin Douglas Alpuche Kristina Bodeman Lamont Brown Ellis Fenske Lucas Foppe Travis Mayberry Erik Rye Brandon Sipes and Sam Teplov. Handoff All Your Privacy – A Review of Apple’s Bluetooth Low Energy Continuity Protocol. Proceedings on Privacy Enhancing Technologies 2019(4):34–53 2019.

  • [2] Google. Nearby. URL https://developers.google.com/nearby/. Accessed: 2019-05-25.

  • [3] Microsoft. Microsoft Connected Devices Platform Protocol Version 3. 2019. URL https://docs.microsoft.com/enus/openspecs/windows_protocols/ms-cdp/f5a15c56-ac3a-48f9-8c51-07b2eadbe9b4. Accessed: 2019-05-25.

  • [4] Apple. All your devices. One seamless experience.. URL https://www.apple.com/macos/continuity/. Accessed: 2019-05-25.

  • [5] Apple. MFi Program.. URL https://developer.apple.com/programs/mfi/. Accessed: 2019-05-25.

  • [6] Apple. Home accessories. The list keeps getting smarter.. URL https://www.apple.com/ios/home/accessories/. Accessed: 2019-05-25.

  • [7] Apple. Apple Reports Record First Quarter Results. 2016. URL https://www.apple.com/newsroom/2016/01/26Apple-Reports-Record-First-Quarter-Results/. Accessed: 2019-05-25.

  • [8] Mathy Vanhoef Celestin Matte Mathieu Cunche Leonardo S. Cardoso and Frank Piessens. Why MAC Address Randomization is Not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security ASIA CCS ‘16 pages 413–424 New York NY USA 2016. ACM. ISBN 978-1-4503-4233-9. 10.1145/2897845.2897883.

  • [9] Taher Issoufaly and Pierre Ugo Tournoux. BLEB: Bluetooth Low Energy Botnet for large scale individual tracking. In 2017 1st International Conference on Next Generation Computing Applications (NextComp) pages 115–120. IEEE 2017.

  • [10] Ben Greenstein Ramakrishna Gummadi Jeffrey Pang Mike Y Chen Tadayoshi Kohno Srinivasan Seshan and David Wetherall. Can Ferris Bueller Still Have His Day Off? Protecting Privacy in the Wireless Era. In HotOS 2007.

  • [11] Mathieu Cunche Mohamed-Ali Kaafar and Roksana Boreli. Linking wireless devices using information contained in Wi-Fi probe requests. Pervasive and Mobile Computing 11:56–69 April 2014. ISSN 1574-1192. 10.1016/j.pmcj.2013.04.001.

  • [12] Aveek K Das Parth H Pathak Chen-Nee Chuah and Prasant Mohapatra. Uncovering Privacy Leakage in BLE Network Traffic of Wearable Fitness Trackers. In Proceedings of the 17th International Workshop on Mobile Computing Systems and Applications pages 99–104. ACM 2016.

  • [13] Bluetooth SIG. Bluetooth Core Specification v4.0. 2010. URL https://www.bluetooth.org/docman/handlers/downloaddoc.ashx?doc_id=456433. Accessed: 2019-05-25.

  • [14] Johannes K Becker David Li and David Starobinski. Tracking Anonymized Bluetooth Devices. Proceedings on Privacy Enhancing Technologies 2019(3):50–65 2019.

  • [15] Guillaume Celosia and Mathieu Cunche. Saving Private Addresses: An Analysis of Privacy Issues in the Bluetooth-Low-Energy Advertising Mechanism. In Proceedings of the 16th EAI International Conference on Mobile and Ubiquitous Systems: Computing Networking and Services. ACM 2019.

  • [16] Martin Woolley. Bluetooth Technology Protecting Your Privacy. 2015. URL https://www.bluetooth.com/blog/bluetooth-technology-protecting-your-privacy/. Accessed: 2019-05-25.

  • [17] IEEE Standard for Local and Metropolitan Area Networks: Overview and Architecture. IEEE Std 802-2014 (Revision to IEEE Std 802-2001) pages 1–74 June 2014. 10.1109/IEEESTD.2014.6847097.

  • [18] Bluetooth SIG. Bluetooth Core Specification v5.1. 2019. URL https://www.bluetooth.org/docman/handlers/downloaddoc.ashx?doc_id=457080. Accessed: 2019-05-25.

  • [19] Apple. iOS Security - iOS 12.3. 2019. URL https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf. Accessed: 2019-05-25.

  • [20] Apple. HomeKit Accessory Protocol Specification (Non-Commercial Version) - Release R2. 2019. URL https://developer.apple.com//homekit/specification/. Accessed: 2019-08-20.

  • [21] Apple. About AirPrint. 2019. URL https://support.apple.com/en-us/HT201311. Accessed: 2019-05-25.

  • [22] Ang Cui Michael Costello and Salvatore Stolfo. When Firmware Modifications Attack: A Case Study of Embedded Exploitation. 2013.

  • [23] Apple. Connect and use your AirPods. 2019. URL https://support.apple.com/en-us/HT207010. Accessed: 2019-05-25.

  • [24] Dorene Kewley Russ Fink John Lowry and Mike Dean. Dynamic approaches to thwart adversary intelligence gathering. In Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX’01 volume 1 pages 176–185. IEEE 2001.

  • [25] Apple. Handoff.. URL https://developer.apple.com/handoff/. Accessed: 2019-05-25.

  • [26] Apple. Use Handoff to continue a task on your other devices. 2019. URL https://support.apple.com/enus/HT209455. Accessed: 2019-05-25.

  • [27] Jeremy Martin Travis Mayberry Collin Donahue Lucas Foppe Lamont Brown Chadwick Riggins Erik C Rye and Dane Brown. A Study of MAC Address Randomization in Mobile Devices and When It Fails. Proceedings on Privacy Enhancing Technologies 2017(4):365–383 2017.

  • [28] Lukasz Olejnik Gunes Acar Claude Castelluccia and Claudia Diaz. The leaking battery. In Data Privacy Management and Security Assurance pages 254–263. Springer 2015.

  • [29] Apple. Use Instant Hotspot to connect to your Personal Hotspot without entering a password. 2019. URL https://support.apple.com/en-us/HT209459. Accessed: 2019-08-20.

  • [30] Kassem Fawaz Kyu-Han Kim and Kang G Shin. Protecting Privacy of BLE Device Users. In USENIX Security Symposium pages 1205–1221 2016.

  • [31] Marianne Bertrand and Emir Kamenica. Coming Apart? Cultural Distances in the United States Over Time. Technical report National Bureau of Economic Research 2018.

  • [32] Le T Nguyen Yu Seung Kim Patrick Tague and Joy Zhang. IdentityLink: User-Device Linking through Visual and RF-Signal Cues. In Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing pages 529–539. ACM 2014.

  • [33] Matthias C Sala Kurt Partridge Linda Jacobson et al. An Exploration into Activity-Informed Physical Advertising Using PEST. In International Conference on Pervasive Computing pages 73–90. Springer 2007.

  • [34] Bogdan Copos Karl Levitt Matt Bishop and Jeff Rowe. Is Anybody Home? Inferring Activity From Smart Home Network Traffic. In 2016 IEEE Security and Privacy Workshops (SPW) pages 245–251. IEEE 2016.

  • [35] Joseph Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In 2012 IEEE Symposium on Security and Privacy pages 538–552. IEEE 2012.

  • [36] Levent Demir Amrit Kumar Mathieu Cunche and Cedric Lauradoux. The Pitfalls of Hashing for Privacy. IEEE Communications Surveys & Tutorials 20(1):551–565 2018.

  • [37] Matthias Marx Ephraim Zimmer Tobias Mueller Maximilian Blochberger and Hannes Federrath. Hashing of personally identifiable information is not sufficient. SICHERHEIT 2018 2018.

  • [38] Troy Hunt. The 773 Million Record “Collection #1” Data Breach. 2019. URL https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/. Accessed: 2019-05-25.

  • [39] Jaap Haitsma and Ton Kalker. A Highly Robust Audio Fingerprinting System. In Ismir volume 2002 pages 107–115 2002.

  • [40] Heiko Knospe. Privacy-enhanced perceptual hashing of audio data. In 2013 International Conference on Security and Cryptography (SECRYPT) pages 1–6. IEEE 2013.

  • [41] Gopala Krishna Anumanchipalli Kishore Prahallad and Alan W Black. Festvox: Tools for Creation and Analyses of Large Speech Corpora. In Workshop on Very Large Scale Phonetics Research UPenn Philadelphia page 70 2011.

  • [42] Sparhandy. Siri commands - endless functions of your virtual assistant. URL https://www.sparhandy.de/apple/info/siri-commands/. Accessed: 2019-05-25.

  • [43] Hao Fu Aston Zhang and Xing Xie. Effective Social Graph Deanonymization Based on Graph Structure and Descriptive Information. ACM Transactions on Intelligent Systems and Technology (TIST) 6(4):49 2015.

  • [44] Jon Gunnar Sponas. Things You Should Know About Bluetooth Range. 2018. URL https://blog.nordicsemi.com/getconnected/things-you-should-know-about-bluetooth-range. Accessed: 2019-08-20.

  • [45] Nina Gerber Benjamin Reinheimer and Melanie Volkamer. Investigating People’s Privacy Risk Perception. Proceedings on Privacy Enhancing Technologies 2019(3):267–288 2019.

  • [46] Chrisil Arackaparambil Sergey Bratus Anna Shubina and David Kotz. On the Reliability of Wireless Fingerprinting using Clock Skews. In Proceedings of the third ACM conference on Wireless network security pages 169–174. ACM 2010.

  • [47] Milan Stute Sashank Narain Alex Mariotto Alexander Heinrich David Kreitschmann Guevara Noubir and Matthias Hollick. A Billion Open Interfaces for Eve and Mallory: MitM DoS and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link. page 18 2019.

  • [48] Daniele Antonioli Nils Ole Tippenhauer and Kasper Rasmussen. Nearby Threats: Reversing Analyzing and Attacking Google’s’ Nearby Connections’ on Android. In Proceedings of the Network and Distributed System Security Symposium (NDSS) February 2019.

  • [49] Guillaume Celosia and Mathieu Cunche. Detecting smart-phone state changes through a Bluetooth based timing attack. In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks pages 154–159. ACM 2018.

  • [50] Noah Apthorpe Dillon Reisman Srikanth Sundaresan Arvind Narayanan and Nick Feamster. Spying on the Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic. 2017.

  • [51] Sandra Siby Rajib Ranjan Maiti and Nils Tippenhauer. IoTScanner: Detecting and Classifying Privacy Threats in IoT Neighborhoods. arXiv preprint arXiv:1701.05007 2017.

Search
Journal information
Metrics
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 17 17 17
PDF Downloads 17 17 17