Attendees at the DefCon hacking conference in Las Vegas last weekend received mysterious messages on their iPhones like requests to connect to a ghost Apple TV that was out of sight.
It turned out that the messages, which looked like a nearby Apple TV seeking approval to sync with users’ Apple IDs or password-protected accounts, were actually from a $70 homemade transmitter designed to fool the Bluetooth security of Manzana.
Some of the software security experts who were the butt of the joke at the conference said they felt ‘abused’, while others thought it was ‘hilarious’ but ‘annoying as hell’.
The perpetrator, a fellow DefCon attendee, has come forward to explain his intent: to draw attention to a serious vulnerability that they hope Apple fixes.
“If a user were to interact with the prompts, and if the other end was configured to respond convincingly, I think you could get the ‘victim’ to pass a password,” said the prankster, a security researcher named Jae Bochs. on social networks
Until Apple fixes the vulnerability, according to Bochs, the best course of action for iPhone users, or any user of Apple products, is to be careful when relying on the ‘Control Center’ feature on any device running iOS.
DefCon 2023 hacking conference attendees kept getting mysterious prompts on their iPhones. The messages, which looked like a nearby Apple TV seeking approval to sync with their password-protected accounts, actually came from a $70 makeshift transmitter (above).
Some of the software security experts targeted by the prank said they felt “abused”, while others thought it was “hilarious” but “very annoying”. The perpetrators hoped to highlight a vulnerability that they hope Apple will fix. Above, people attend DefCon 2011 in Las Vegas
For his part, Bochs was unrepentant, writing on the decentralized social media platform Mastodon, “Glad to be able to add a little harmless WTF to everyone’s day.”
“To offer some peace of mind”, Bochs also posted‘this was created for two purposes: to remind people to *actually turn off* Bluetooth (ie not from the control center) and to have a laugh.’
To completely turn off Bluetooth on an iPhone, iPad, or MacBook, Apple users can’t rely on the seemingly convenient switch in Control Center, iOS’s quick access panel available to users with a swipe of their finger.
Instead, users need to go into their Settings and search for the full Bluetooth menu to actually prevent their device from connecting with other nearby Bluetooth devices, such as the hacker’s spoofed Apple TV.
bochs told TechCrunch built the device from a standard Raspberry Pi Zero 2 W, a portable battery, two antennas, and a Linux-compatible Bluetooth adapter.
The total cost, Bochs estimated, was about $70.
At the heart of the hack, Bochs explained, is the lax security hardcoded into Apple’s current protocols for Bluetooth low energy, or BLE, which allows any Apple device to attempt to connect to other nearby Apple devices via Bluetooth.
Apple describes these as “proximity actions” because they’re intended to add convenience for users trying to sync nearby devices, like two friends with iPhones at a bar or an iPhone user trying to control their Apple TV or home wireless speakers.
“Proximity is determined by the strength of the BLE signal, and most devices intentionally use reduced transmit power to keep range short,” Bochs said, adding: “I don’t :)”
The range of Bochs’ makeshift $70 fake Apple TV stretched to 50 feet, plenty of room to catch unsuspecting DefCon attendees waiting in line for events around the convention center.
The device “builds a custom ad package that mimics what Apple TV, etc. constantly broadcasts at low power,” the security researcher told TechCrunch. This allows you to pose as a Apple device and trigger pop-ups on nearby devices.
“No data is collected,” Bochs said, “only BLE advertising packets are sent that do not require pairing.”
In theory, however, a similar device could maliciously collect users’ personal data, and given growing concerns about the iPhone’s upcoming NameDrop feature, Bochs hopes to have a new “proof of concept” device that will investigate flaws in NameDrop security in time for next year’s DefCon. .
Announced for Apple’s iOS 17 update this September, NameDrop is a new feature that promises to streamline the sharing of contact information, making it as easy as tapping two iPhones together. But the added convenience comes with some risk.
“Hopefully the next DC will make it work with the new iOS17 ‘NameDrop’ features, and potentially do something similar for Android (at least certain models),” Bochs said. ‘Either way, I’ll probably introduce him for a talk.’
DefCon 2023 attendees warned each other about fake Apple TV via X (formerly Twitter)
DefCon, which ranks among the largest annual gatherings of hackers worldwide, is no stranger to wild pranks, with some hailing Bochs’ hack as “some OG #DEFCON shenanigans.”
The conference, despite the protests of the attendees, is usually a important scouting site for government intelligence agencies, including the National Security Agency (NSA)seeking to recruit the best and brightest among cybersecurity and penetration experts.
But some attendees this year expressed further confusion and concern over Apple’s Bluetooth flaw, including Dan Guido, chief executive of security research firm Trail of Bits.
‘Believe [Bochs] abused a group of users when [they] must take [their] complaints to Apple’, Guido told TechCrunch.
But others, like the iOS app security researcher who goes by the online name NinjaLikesCheezhe saw it as part of the great DefCon tradition of teaching and exposing security loopholes by experience.
‘I think it’s hilarious. It was very annoying, but it also reminded me that the control center is bad,” said the Netherlands-based coder.