A new report by TU Darmstadt and Northeastern University researchers titled “A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link” reveals that vulnerabilities in AWDL (Apple Wireless Direct Link) could enable attackers to track users, crash devices, or intercept files transferred between devices in man-in-the-middle (MitM) attacks.
First of all, what is Apple Wireless Direct Link?
AWDL is an extension of the IEEE 802.11 (Wi-Fi) standard and integrates with Bluetooth Low Energy (BLE). It is noteworthy that its proprietary nature prevented security and privacy analysis, but not anymore, as it appears.
Perhaps most Apple users are be aware of the protocol, it is a crucial part of Apple services such as AirPlay and AirDrop, and Apple has been including AWDL by default on all its devices like Macs, iPhones, iPads, Apple watches, Apple TVs, and HomePods.
From a user perspective, AWDL allows a device to remain connected to an infrastructure-based Wi-Fi network and communicate with AWDL peers simultaneously by quickly hopping between the channels of the two networks (AWDL uses fixed social channels 6, 44, and 149), StackOverflow users wrote.
According to the report, “with deployments on over one billion devices, spanning several Apple operating systems (iOS, macOS, tvOS, and watchOS) and an increasing variety of devices (Mac, iPhone, iPad, Apple Watch, Apple TV, and HomePod), Apple Wireless Direct Link (AWDL) is ubiquitous and plays a key role in enabling device-to-device communications in the Apple ecosystem.”
The AWDL vulnerabilities explained
In their work, the researchers reverse-engineered AWDL and then re-wrote it as a C implementation which they named OWL (Open Wireless Link). OWL was then used to test the real AWDL protocol in various attack scenarios.
The researchers’ analysis shows several security and privacy vulnerabilities ranging from design flaws to implementation bugs that could lead to different kinds of attacks.
1. A long-term device tracking attack which works in spite of MAC randomization, and may reveal personal information such as the name of the device owner (over 75% of experiment cases).
2. A DoS attack aiming at the election mechanism of AWDL to deliberately desynchronize the targets’ channel sequences effectively preventing communication.
3. A MitM attack which intercepts and modifies files transmitted via AirDrop, effectively allowing for planting malicious files.
4. Two DoS attacks on Apple’s AWDL implementations in the Wi-Fi driver. The attacks allow crashing Apple devices in proximity by injecting specially crafted frames. The attacks can be targeted to a single victim or affect all neighboring devices at the same time.
Of all these attacks, the AWDL vulnerabilities that allow user tracking are the most concerning. Using the vulnerabilities, the researchers were able to obtain information from an AWDL connection like device hostname, real MAC address even with MAC address randomization turned on, the AP the device is connected to, as well as device class and version of the AWDL protocol. All these details are sufficient enough to lead to tracking of users, and if linked with data from online advertisers and analytics utilities, devices could be associated with their owners.
What are the mitigations?
First of all, the researchers notified Apple about everything they discovered between August and December, 2018. Apple fixed the DoS vulnerability known as CVE-2019-8612, but it appears that the other flaws require redesign of some of their devices, the report said.
It seems that the other AWDL flaws will remain unpatched for an undefined time. Finally, what is worse is that the same vulnerabilities may also affect Android devices.