Apple devices have a great Airdrop feature - it is made to transfer data between devices. At the same time, no configuration and preliminary pairing of devices is required, everything works out of the box in two clicks. For data transfer, an add-on is used over Wi-Fi, and therefore data is transferred at tremendous speeds. At the same time, using some tricks, you can not only send files, but also find out the phone number of a person who is with you in the same subway car.
For the last year I have been using this feature for interesting acquaintances on the way to work, in public transport, in public catering. On average, I manage to make several new acquaintances per day, and sometimes I get off the subway in the company of a new person.
Under the cut, I will tell for the whole persimmon.
How does AirDrop work?
AirDrop is a protocol for transferring files within a peer-to-peer network. It can work both over a regular local network and over the air between any Apple devices. We will analyze the last case, when two devices are not connected to a common network, but are simply nearby, for example, two people with phones are traveling in a subway car and are not connected to a shared Wi-Fi.
The first stage of transmission via AirDrop - sending a BLE package
To initiate data transfer via AirDrop, the initiator's phone sends a BLE broadcast packet containing hashed information about the iCloud account and the phone number of the owner of the initiator's devices, with a proposal to establish a connection via the AWDL (Apple Wireless Direct Link) protocol, something like Wi-Fi. Fi Direct from the Android world. The structure of this BLE package is very interesting, we will analyze it further.
On the recipient's side, AirDrop can be in three states:
- Switched off - won't show up at all
- Contacts only β accept files only from contacts in your address book. In this case, the contact is considered the phone number or email to which the icloud account is linked. The same account linking logic works here as with the iMessages messenger.
- For all - the phone will be detected for everyone
AirDrop privacy settings. The default state is set to "For Contacts".
Depending on the privacy settings, the phone will either continue to establish a connection via AWDL, or simply ignore the BLE packet. If the AirDrop setting is set to βfor everyoneβ, then in the next step the devices will connect to each other via AWDL, raise an IPv6 network between themselves, inside which AirDrop will work as a regular application protocol using mDNS via the standard IP protocol.
For experimentation, you can look at how AWDL works on a macbook. All communication using this protocol occurs through the interface awdl0, which can be easily sniffed with Wireshark or tcpdump.
At this stage, we know three entities:
Bluetooth Low Energy (BLE) package - this packet contains data on the basis of which the phone decides whether the initiator is in its contact list or not.
Apple Wireless Direct Link (AWDL) - Apple's proprietary replacement for Wi-Fi Direct, turns on if communication via BLE was successful.
AirDrop - an application protocol that works inside a regular IP network using mDNS, HTTP, etc. Can work within any Ethernet network.
BLE package structure
It may seem that this BLE packet flies only once from the initiator to the recipient, and then the exchange occurs only via AWDL. In reality, an AWDL connection lives very little, only a few minutes or less. So if the recipient of the file wants to answer you, he will also act as an initiator and send a BLE packet.
How does the phone on the receiving side understand whether the number / email of the initiator is in his contact list or not? I was very surprised when I got the answer: the initiator sends his number and email as a sha256 hash, but not entirely, but only the first 3 bytes.
The structure of the BLE package from the AirDrop initiator. Based on the hashes from the phone number and email, the respondent understands whether the initiator is in his contact list.
For example, if your Apple account (aka iCloud, aka iMessages) is linked to the number +79251234567, the hash from it will be calculated like this:
echo -n "+79251234567" | shasum -a 256
07de58621e5d274f5844b6663a918a94cfd0502222ec2adee0ae1aed148def36
And as a result, the value will fly away in the BLE package 07de58 for a phone number. It seems not enough, but often these three bytes are enough to find out the real phone number.
It is also important to remember that the AirDrop privacy setting does not affect the data in the BLE packet. The hash of the phone number will be contained in it, even if the "Public" setting is set. Also, a BLE packet with a hash of the phone number is sent when the Share window is opened and when entering the password for the Wi-Fi network.
Read the study for a detailed analysis of the structure of BLE packets and possible attacks on it. and Russian .
The Apple Bleeee study published ready-made python scripts for automating data analysis in BLE packages. I highly recommend studying the research and trying out the programs, there's a lot of great stuff in there.
AWDL (Apple Wireless Direct Link)
AWDL is such a proprietary Apple add-on over regular Wi-Fi that implements something like Wi-Fi Direct. I donβt fully know how it works, there is a special way of announcing and matching channels, and it only works on proprietary Apple drivers. That is, only Macbooks / iPhones can connect via AWDL.
Sad owners of Android phones still only dream of a properly working Wi-Fi Direct function.
But not so long ago the guys from wrote a completely open source implementation of AWDL and named it (OWL). To run OWL, the Wi-Fi adapter must support monitor mode and packet injection, so it does not run on every hardware. The site has examples of settings on the raspberry pi. It works much worse than the original AWDL, for example, the connection setup time is extended by ~ 10 seconds instead of a couple of seconds for the original, but it works.
Also, these guys wrote an implementation of the AirDrop protocol in python from scratch, called . It can be used both in conjunction with OWL, to run AirDrop on Linux, and with the original AWDL on macOS.
How to upload via AirDrop
A typical situation with rolling through AirDrop
Enough boring theory, it's time to start practicing. So you are armed with all the necessary equipment and ready to move forward to roll balls with the help of high technology.
First you need to remember the main points:
- AirDrop will only work if the phone is unlocked - It is best if the target is constantly looking at the phone. Most often this happens in places where it is boring, for example, in the subway.
- Need time - Usually, a positive conversion occurs on 3-5 sent pictures, so you need at least 5 minutes of quiet stay in one place. I consider the moment when you agreed to continue communication in the messenger through AirDrop as a positive conversion. This is tricky to implement on the fly, because it's not immediately clear who took your payload, and most likely you will warm up before you can agree on something.
- Personalized creative works better - I call the media content that you send via AirDrop a payload. Just a picture with a meme, most likely, will not lead to anything, the content should be relevant to the situation and have a clear call to action.
Classic method - only phone
Suitable for everyone who has an iPhone, does not require special skills other than social ones. We translate AirDrop into Everyone mode and go down to the subway. On a typical day (before self-isolation) in a Moscow metro car, I saw something like this:
List of targets
As you can see, almost all phones broadcast the name of the owner, by which we can easily determine his gender and prepare an appropriate payload.
Payload
As I wrote above, a unique payload works better. Ideally, the picture should address the owner by name. Previously, I had to sculpt a creative with the help of a graphic editor in the notes application and some kind of mobile photoshop stub. As a result, by the time the desired picture was drawn, it was already necessary to get out of the car.
My friend Anya , especially at my request, wrote a Telegram bot that generates the necessary pictures with a caption on the fly: . Thank you so much for the fact that now I can roll balls much more technologically than before.
It is enough to send a line of text to the bot, and it will generate it as an image exactly suitable for the aspect ratio for the preview in the AirDrop window. You can select a character in the picture by pressing the buttons. You can also optionally enable adding your Telegram login to the picture in the corner.
payload generator
The most fat was that the picture was shown immediately on the victim's screen without any action. Didn't even have to press "accept". You could see the instant reaction on the face from loading the payload. Unfortunately, since iOS 13, pictures from unknown contacts are no longer shown on the screen. Here's what it looked like before:
Payload delivered on iOS β€12
Now, instead of a preview, only the name of the sender's device is shown. Therefore, the only way to address a victim with iOS β₯13 by name is to set it in the settings of your device, for example, name the phone βJulia, hello.β Hint: You can use emoji in the device name. Of course, this method is not as bright as with the picture, but it greatly increases the chance of pressing the "accept" button.
Further description of the actions is beyond the scope of a technical article and depends only on your imagination, improvisation and humor. I can only say that those who enter this game and begin to answer you with pictures or send notes are usually very cheerful, open and interesting people. Those who look at the picture simply do not respond, or worse, simply reject the message, usually boring snobs and bigots. Also, the fear factor often plays a role: fragile, shy people are afraid to interact with such an impudent anonymous stranger.
Automatic dick machine
If you are too lazy to generate and send out payloads manually, and you want to automate the process, you can make an automatic dip-pick machine that, in the background, will send pictures via AirDrop to everyone who is in range. We will use raspberry pi zero as a hardware platform, but any computer with Linux will do, the main thing is that the Wi-Fi card supports monitor mode and packet injection.
Raspberry pi zero w airdrop dikpik sender + UPS Lite battery shield
There are programs for AirDrop flooders for Jailbreak iPhones, they work more stable than open versions on raspberry pi
Setting up OWL on the raspberry pi is described in detail at , but I prefer to use the Raspberry Pi Zero build of Kali Linux, because it already has nexmon patches installed to enable monitor wifi mode on rpi0.
It is important to remember that Airdrop (or rather AWDL) is activated in patients only after receiving a BLE package. Therefore, we must send it at intervals of a few seconds. This can be done using the utility . Using the start_le_advertising() function, I send the data string from the apple bleee examples: 000000000000000001123412341234123400.
Once you have a working OWL daemon, you can then run my fork . The repository contains the script flooder.pywho sends a picture to everyone kak_dela.jpeg.
According to my observations, raspberry pi zero w is unstable in monitor mode. After about 20 minutes of active fluder operation, the Wi-Fi subsystem crashes. The problem is described by the author , and presumably caused by overheating. You need to provide a watchdog or use more stable hardware
Manicello mode - I know your number
If you want to show yourself as an inadequate maniac and forever discourage the desire to continue communicating with you, you can try to find out the phone number of the person who is nearby.
As we learned earlier, the BLE packets sent by the initiator contain the first three bytes from the sha256 of the phone number. This hash can be caught when the victim presses the "share" button and launches an airdrop device scan or taps into the Wi-Fi password field for a new network (thus apple looks for friends in range who can ask for a network password).
You will need to somehow trigger the hash from the victim and catch it. I am using the utilities from the repository . Since the Bluetooth MAC addresses of devices are random and constantly changing, you will have to find another way to identify the desired device in this list. The task is simplified by the fact that iOS broadcasts the current state of the phone like: screen off, screen on, lock screen, unlocked, etc. Therefore, simply by observing the actions of the victim, you can compare the current state of the device with the device in the table. The easiest way to catch the moment when the user took the phone out of his pocket, turned on the screen and unlocked the phone with his finger or face. All this will be visible in the sniffer.
Icon Π₯ means that a packet with phone hashes has been caught.
Their parser sometimes breaks, but most of the time it works. I will not completely retell the essence of the vulnerability, since it is analyzed in detail by the authors of Apple Blee, I will only describe my experience. I can only say that I use a USB Bluetooth adapter based on the CSR 8510 chip, since it works much more stable for me than the Bluetooth adapter built into the MacBook, thrown into the virtual machine.
So we caught the hash from the victim's phone and got the coveted three bytes from the hash of the phone number.
Intercepted BLE packet with a hash of a phone number using the utility
We know that in Russia all mobile numbers begin with the code +79 and most likely our victim's phone has the same code. It turns out that we have a range of numbers from +79000000000 to +79999999999, about a billion numbers.
To narrow the range, we take only the codes actually registered for any operator and discard the rest. As a result, the range becomes two times smaller, about half a billion numbers.
Next, we generate sha256 from all numbers and save only the first 3 bytes from each hash. We enter this list into the Sqlite database, to speed up the search we build an index.
This is what the database looks like:
All Russian phone numbers and the first three bytes of the hash
Further, having the hash of the victim, we can search for all matches in the database. Usually there are 15-30 matches per hash.
All numbers that matched the hash of the victim
Obviously, not all of these numbers are actually used. We can cut off unnecessary ones using an HLR request or an invisible SMS. Of the 30 numbers in the network turned out to be 5.
The result of the HLR request. Numbers in the network are highlighted in green.
I could continue to sift through the numbers, for example, add them all to Telegram / Whatsapp and see avatars, check through databases like Getcontact and so on. But it turned out to be easier to just call all five numbers in turn and watch when the victim's phone rings.
Target located
All
- Fluder on raspberry pi is very unstable, you need to try other single-boards.
- A native iOS flooder would be much better, but I couldn't find one that works on iOS 12-13 even with a jailbreak.
- The flooder.py script is very dumb. It could probably generate a name picture by taking the name from the recipient's device name and stripping out the word iPhone.
- The method of determining the phone number can be optimized by checking only the fact that the number is associated with iMessage. Most likely, this will give close to 100% hit.
Conclusion
This is the perfect entertainment for the subway. There is a wow effect, curious people are interested in this. A lot of improvisation, there were very funny cases. It turns out that many people are ready to play along and even cancel their plans to get off at your metro station and go up for coffee. During the year I met a bunch of people and I continue to communicate with some.
Sometimes I turn off the display of the Telegram login and have fun .
Source: habr.com