Watch out! A device that costs just $70 can hack your iPhone and trick you into sharing
Attendees at the hacking conference DefCon in Las Vegas last weekend kept getting mysterious prompts on their iPhones as requests to connect to a phantom Apple TV that was nowhere in sight.
Turns out the messages — which looked like a nearby Apple TV seeking approval to sync with users’ Apple ID or their password-protected accounts — were, in reality, from a homemade $70 transmitter designed to trick Apple’s Bluetooth security.
Some of the software security experts who were targeted by the prank at the conference, said they felt ‘abused,’ while others thought it was ‘hilarious’ but ‘annoying as hell.’
The perpetrator, a fellow DefCon attendee, has come forward to explain their intention: to draw attention to a serious vulnerability they hope Apple will correct.
‘If a user were to interact with the prompts, and if the other end was set up to respond convincingly, I think you could get the “victim” to transfer a password,’ said the prankster, a security researcher who goes by Jae Bochs on social media.
Until Apple corrects the vulnerability, according to Bochs, the best course of action for iPhone users, or any Apple product user, is to be careful when trusting the ‘Control Center’ feature on any device running iOS.
Attendees at the hacking conference DefCon 2023 kept getting mysterious prompts on their iPhones. The messages, which looked like a nearby Apple TV seeking approval to sync with their password-protected accounts, actually came from an improvised $70 transmitter (above)
Some of the software security experts targeted by the prank said they felt ‘abused,’ while others thought it was ‘hilarious’ but ‘annoying as hell.’ The perpetrators hoped to highlight a vulnerability they hope Apple will correct. Above, people attend DefCon 2011 in Las Vegas
For their part, Bochs was unrepentant, writing on the decentralized social media platform Mastodon, ‘Glad I could add a little harmless WTF to everyone’s day.’
‘To offer some reassurance,’ Bochs also posted, ‘this was built with two purposes – to remind people to *really shut off* Bluetooth (i.e. not from control center) and to have a laugh.’
To completely switch off Bluetooth on an iPhone, iPad, or MacBook, Apple users can’t trust the seemingly convenient toggle on Control Center, iOS’s quick-access panel available to users with a simple swipe.
Instead users have to go into their Settings and search for the complete Bluetooth menu to truly prevent their device from engaging with other Bluetooth devices nearby, such as the hacker’s forged Apple TV.
Bochs told TechCrunch they built the device out of an off-the-shelf Raspberry Pi Zero 2 W, a portable battery, two antennas, and one Linux-compatible Bluetooth adapter.
The total cost, Bochs estimated, was about $70.
At the heart of the hack, Bochs explained, is lax security coded into Apple’s current protocols for Bluetooth low energy, or BLE, which allows any Apple device to attempt to connect with other nearby Apple devices via Bluetooth.
Apple describes these as ‘proximity actions’ because the intent is to add convenience for users trying to sync nearby devices, such as two friends with iPhones at a bar or an iPhone user trying to control their Apple TV or home wireless speakers.
‘Proximity is determined by BLE signal strength, and most devices intentionally use lowered transmit power for these to keep the range short,’ Bochs said, adding, ‘I don’t :)’
The range for Bochs’ $70 improvised, fake Apple TV extended to 50 feet, plenty of room to ensnare unsuspecting DefCon attendees waiting in line for events around the convention center.
Typically, the BLE signal range for an iPhone is about 33 feet, and for an Apple TV box that number can be much lower.
The device ‘builds a custom advertisement packet that mimics what Apple TV etc. are constantly emitting at low power,’ the security researcher told TechCrunch. This allows it to pose as an Apple device and trigger pop-ups on nearby devices.
‘There’s no data collected,’ Bochs said, ‘it’s just sending out BLE advertisement packets that don’t require pairing.’
In theory, however, a similar device could maliciously collect personal user data — and given growing concerns over the iPhone’s upcoming NameDrop feature, Bochs hopes to have a new ‘proof of concept’ devise that will probe NameDrop’s security lapses in time for next year’s DefCon.
Announced for Apple’s iOS 17 update this September, NameDrop is a new feature that promises to streamline sharing contact information, making it as easy as tapping two iPhones together. But the added convenience comes with some risk.
‘Hoping by next DC to have it working with the new iOS17 ‘NameDrop’ features, and potentially do something similar for Android (at least certain models),’ Bochs said. ‘Either way I’ll probably submit it for a talk.’
DefCon 2023 attendees warned one another about the fake Apple TV via X (formerly Twitter)
DefCon, which is among the largest annual gatherings of hackers worldwide, is no stranger to wild pranks, and some praised Bochs’ stunt as ‘some OG #DEFCON shenanigans.’
The conference, despite protests from attendees, is often a major scouting location for government intelligence agencies, including the National Security Agency (NSA), that are looking to recruit the best and brightest among cybersecurity and penetration experts.
But some attendees this year expressed more confusion and concern over the Apple Bluetooth flaw, including Dan Guido, the CEO of security research firm Trail of Bits.
‘I think [Bochs] abused a bunch of users when [they] should take [their] complaints to Apple,’ Guido told TechCrunch.
But others, like the iOS application security researcher who goes by the online name NinjaLikesCheez, saw it as part of DefCon’s grand tradition of teaching and exposing security loopholes by experience.
‘I think it’s hilarious. It was annoying as hell but also reminded me that control center is bad,’ the Netherlands-based coder said.