Apple AirPlay Private Key Exposed 306
An anonymous reader writes "James Laird has reverse engineered the Airport Express private key and published an open source AirPort Express emulator. 'My girlfriend moved house, and her Airport Express no longer made it with her wireless access point. I figured it'd be easy to find an ApEx emulator — there are several open source apps out there to play to them. However, I was disappointed to find that Apple used a public-key crypto scheme, and there's a private key hiding inside the ApEx. So I took it apart (I still have scars from opening the glued case!), dumped the ROM, and reverse engineered the keys out of it.'"
Apple-time (Score:4, Interesting)
Re: (Score:3)
You mean he is going to have to go on vacation as well?
Let's see whether Apple or Sony works out to be the biggest pains when it comes to having their keys exposed.
Re:Apple-time (Score:5, Funny)
Let's see someone add airplay support to the ps3. See how many companies can get pissed off at once. If you play it right, they could be goaded into fighting each other. Fingers crossed! Maybe these companies will finally deliver something entertaining to watch :)
Re: (Score:3)
I doubt it. I think Apple has gotten tired of encrypting AirTunes anyway. Despite the title of the article, AirPlay is not encrypted - only the music portion which is really AirTunes. So it was easy to write an AirTunes receiver for video and photos but not music, I suspect due mostly to historical reasons.
Re:Apple-time (Score:4, Interesting)
Hmm.
Music. Being streamed in realtime from one wireless device to another.
Do you know, I rather suspect the reason for the encryption might be less to do with Apple and more to do with a certain industry we all love to hate. Last two initials of the organisation that represents them are AA.
Re:Apple-time (Score:4)
Probably. The RIAA had a lot more clout against Apple when the airport express and AirTunes was introduced than they do now though. Apparently Apple isn't worried about the MPAA objecting to their recent negligence in not encrypting the video (and audio associated with video) portion of AirPlay.
Re: (Score:3)
AirTunes (the predecessor to AirPlay) was also 'hacked' and released with even a commercial distributor of software that would work with it (Rogue Amoeba I believe). Apple doesn't so much care about the hacking of their systems, they're probably happy somebody finally did while on the other hand they can claim to the **AA - we implemented your precious DRM so we can keep selling your crap.
Please tell me (Score:5, Funny)
If you extract the ROM out of an Apple device, is that a core dump?
real easy innit (Score:5, Funny)
I like how easy he makes it sound :-)
Things you need to hack the Airport Express:
1. Girlfriend
2. A pinch of dissappointment
3. Wilingness to break open glued Apple casing
Re:real easy innit (Score:5, Funny)
Have you ever tried to open one of the glued-together cases? That's by far more difficult than getting a girlfriend
Re: (Score:2)
Have you ever tried hooking up with a girl after a long August day? #3 is much easier.
Re: (Score:2)
WOOSH for me, I guess....
Re:real easy innit (Score:5, Funny)
Not if you freeze them with dry ice and hit them with a hammer...
Yes it works with glued together cases as well.
Re:real easy innit (Score:5, Funny)
Don't know about you, but I've found that #1 can lead to #2 -- and has on several occasions.
Re: (Score:2)
it's ok.
it's not the size that matters.
Re:real easy innit (Score:5, Funny)
The considerably less lethal version of Spock's death grip.
Re: (Score:3)
1. Girlfriend
That leaves out most slashdotters, right?
Yeah :'( I am starting to wonder whether I'll find one I want to be with before I'm 60. I am starting to wonder whether I am simply v-sexual - only able to have any relationships with virtual entities. I don't want to be an expert in the theory of human relationships. This is one place where an applied subject is of more interest.
Re: (Score:3)
Betting your problem is that your expectations are too high for your assets. I know several super nerdy friends that say...
"I'll only date HOT chicks!" yet they weigh 380 pounds and dont shower... Guess what, my super nerdy friends have never had any dates let along girlfriends.
To up the ante and nab the attention of women in your asset range... Clean more often than you think you need it. Yes a shower daily is required, as is teeth brushing and deoderant... try a nice light and popular scent as well.
L
Re:real easy innit (Score:4, Informative)
/g/=global, ie: substitute all, not just the first occurrence
Re: (Score:3)
Regular Expressions are used in a lot more than just vi..
Re: (Score:3)
s/vi/perl/g #for example
Re:real easy innit (Score:4, Insightful)
I wouldn't. I've got a wife and I can tell you first hand, it's HARD to have a girlfriend and a wife.
Re:real easy innit (Score:4, Funny)
Marriage: It's a lot of work, but in the long run, eventually one of you dies.
Hooray! (Score:2)
If only we had more people like this around; people willing and able to void the warranty and hack things. I know there are a few, but every story like this is great. James, good work!
Re: (Score:3)
Open source win (Score:4, Insightful)
Re: (Score:2)
You cannot expect that keeping everything locked inside your proprietary case is going to keep it secure.
I don't know about that... there are plenty of ways to build a really strong case as such that if it's broken open whatever is inside is completely destroyed.
Re: (Score:2)
Re: (Score:3, Insightful)
Yes. Eventually.
Reverse engineering and hacking closed stuff is ____NOT___ a victory.
It sends the wrong signals.
'Protected stuff sells just fine'.
'We don't need to worry about little guys stealing our market as the nerds can hack our cheap boxes'.
'Appeasing content providers is an easy buisness model'
The problem with hacking is that it's getting easier to protect stuff.
A decade ago, if you were making a router, you had little choice to make it from a CPU chip, a ROM chip, and a RAM chip.
All soldered to a bo
Re:Open source win (Score:5, Insightful)
This is just further proof that security through obscurity is a myth.
Unfortunately, you can boil the entirety of information theory to 'security through obscurity'. Airplay uses public key encryption and is in that sense 'secure'. Everything that needs to read the encrypted content (in this case the airplay device) needs to have the key to decrypt it. Thus you can argue that the whole system is 'security through obscurity' because it is relying on the 'obscurity' of the private key that the end-user can't get access to (unless the pry it open with a butterknife and dump the ROM).
Re: (Score:3)
Except that this isn't what is meant by security by obscurity. Knowing the RSA algorithm doesn't allow you to read anything as long as reasonable keys are chosen. Using rot13 for "security" would be security by obscurity. So would using an undocumented protocol or port number.
This is a related problem that you can't distribute a key widely and keep it to yourself at the same time. You can TRY to limit the uses of the key, but eventually someone cracks the case and obtains it anyway.
Sony's problem is related
Re: (Score:3)
If apple wants to lock things away... (Score:3)
Re: (Score:3)
You repeat the mantra, but do you understand it?
How would the open source community solve this problem?
What version of device authentication doesn't involve having a critical secret key on the device being authenticated? Such a secret is the very basis upon which authentication works.
The only possible solution to this that I know if is different hardware that guards the key better and I don't know that the open source community is going to provide that.
Re:Good guys? Really? (Score:5, Insightful)
You're pro-open source, so that makes you a "good guy"? I like chocolate, you like vanilla, ergo, I am good, you are bad.
Does being pro-freedom make you a good guy? Does believing that everyone should have free access make you a good guy? Does helping your others make you a good guy?
Free software ideology isn't about the end product, it isn't chocolate versus vanilla, it is about process and access: how do we choose what gets made, how do we make it, who gets to make it and who gets access to what has been made?
Re:Good guys? Really? (Score:5, Insightful)
how do we choose what gets made
By either making it yourself, or by purchasing something made by someone else only when it fits all your particular requirements.
how do we make it, who gets to make it and who gets access to what has been made?
If you truly value freedom, and not just freedom for you and those who agree with your particular worldview, you don't 'choose' those things. You allow people to be free to make whatever they like however they like and you react to those choices as above.
Apple's products are Apple's right up to the point where they sell them to you. If they choose to not make the source code for their software available and sell it only as a compiled version, that is their choice. If they choose to offer only their own means on installing additional software, their choice.
To argue they should be obligated differently is fine with me, but to cloak that under the guise of promoting 'freedom' is not.
No (Score:3, Insightful)
Re: (Score:3)
Actually, the Constitution guarantees both Apple and you certain rights. But if you only want yours protected, you're a hypocrite - and short sighted. Once the camel's nose is under the tent, he doesn't care whose sandwich he eats.
The thing is, though, once I buy the product, it isn't Apple's anymore, and I can and will do with it as I please.
The
Re: (Score:3)
Are you honestly suggesting that he killed his wife over open vs. closed source?
What ? No ! I was refuting the assertion that liking open source makes you a good guy. You can be an open source guy and still be a murderous asshole. So :
Q > Does being pro-freedom make you a good guy? Does believing that everyone should have free access make you a good guy? Does helping your others make you a good guy?
A > No (or more accurately: not necessarily)
Don't you mean the airport express private key? (Score:2)
Cue lawsuit in ... (Score:2)
I fear this guy will likely get himself a lawsuit or a restraining order for his troubles.
Pretty much any major company is going to react badly to you publishing their private keys for their encryption.
Re: (Score:2)
Re:Cue lawsuit in ... (Score:5, Informative)
Re: (Score:3)
You may be right, but that doesn't mean that he would not be required to prove it in a court of law. 's why SLAPP legislation exists as well. Don't like what someone is doing? Sue them. Either you run them out of money and roll over them in court, or they settle "your way".
Re: (Score:3)
Re: (Score:3, Informative)
In this case, the private key is not protecting content
It does protect content, somewhat—iTunes decrypts (and decompresses and recompresses as Apple Lossless) DRMed audio before sending it to an Airport Express. Emulating an Airport Express allows one to obtain the decrypted audio, though not in its original oompressed form; it's no more of a hole than burning to a CD.
DMCA violation (Score:4, Insightful)
open-source library sharing incoming? (Score:4, Interesting)
Does this mean we can finally get an iTunes-alike that can work with iTunes 7+ library sharing?
Re: (Score:3)
Re: (Score:3)
Re: (Score:3)
I'm going to give a few criteria, because Ari J wasn't quite clear enough.
1. Streams from PCs
2. Has on-board storage for when my laptop is absent
3. Doesn't suck.
and how many people use Airport? (Score:2)
i know it's more than just a cheap wifi router, but how many people care and are willing to pay the $180 price tag?
Re:and how many people use Airport? (Score:5, Interesting)
I bought one once. I set up the network for a small organization and every time there was any kind of problem they blamed the WiFi router and called me. I bought a Airport and threw that in there instead. Now they have just as many problems but they assume that the Apple product cannot possibly be the issue, and I have not received a complaint from them since. It has been a almost two years. It was well worth the $180 to me.
Re:and how many people use Airport? (Score:4, Funny)
I use airport express. Several. (Score:3)
Re: (Score:3)
And for that pricetag, you get the ability to stream music from basically any device on the network (server, laptop, iPhone, etc.) to wherever the Airport is. You also get wireless printing.
I shouldn't be surprised that a guy, when confronted with a broken Airport Express, would go through all the effort of breaking it open, dumping the ROM, and reverse engineering the private key. People get curious, people like to t
Re: (Score:3, Informative)
Re: (Score:3)
Not dumb. You're assuming it's just some sort of wireless router or access point. It does more.
It has audio out and a USB connector. Audio out can be connected to speakers, so you can take music that you're listening to on your iPod and say, play this in the Living Room. The airport express in the living room can then start playing your audio to the hi-fi. I'm not sure if you can do
$99 (Score:2)
Re: (Score:3)
posted to vlc-devel list (Score:5, Informative)
SHAirport 0.01 backup copy (Score:3, Informative)
The best part (Score:5, Interesting)
"Thanks also to Apple for obfuscating the private key in the ROM image, using a
scheme that made the deobfuscation code itself stand out like a flare."
Re: (Score:2)
"Reverse Engineering" how? (Score:2)
Re: (Score:3)
The ROM doesn't just contain data; it contains both code and data. Reverse engineering the code was necessary to determine where in the code/data the private key was located. They could have put it anywhere on the ROM.
Re: (Score:2)
The key was obfuscated in the ROM. So having just the ROM data wasn't enough.
Very cool hack! (Score:3, Insightful)
Now what the hell's an AirPlay and what good is it to me?
Oh, it's an Apple-proprietary media streaming protocol? Well, I give an A+ for l33tness, but an F for choosing a useful target.
Link to the source code and perl script (Score:4, Informative)
http://mafipulation.org/static/shairport-0.02.tar.gz [mafipulation.org]. c source code and perl script included. Link still working as I post this.
Key question (Score:2)
So, was she impressed?
Re: (Score:2)
What does it do? (Score:4, Interesting)
what exactly this key is for?
Why would a wifi AP need a secret key?
Re:What does it do? (Score:5, Informative)
The Airport Express AP has an audio out jack. An iPhone, iPod Touch, iPad or iTunes can route music to that device. Unfortunately when it was introduced Apple decided to encrypt the stream so only Airport Expresses were valid receivers. Now anything that has a network connection and can run a program can be the receiver.
Getting iTunes to talk to remote speakers (Score:5, Informative)
From: http://www.cocoadev.com/index.pl?AirTunesEncryption
The Apple-Challenge / Apple-Response is iTunes' method to verify that it's talking to an Airport Express; it may be similar to the DAAP one which has been reverse-engineered. These headers are optional when talking to the Airport Express, so it's possible for other programs to talk to the Express but it'll be difficult to get iTunes to talk to something other than the Airport Express.
Until we get the private key out of the AirPortExpress, it's not possible to convince iTunes to send anything to a non-AirPortExpress client (say, another computer pretending to be an AirPortExpress).
Seems that problem has now been solved.
Look at the forest, not the trees (Score:4, Interesting)
Re:Look at the forest, not the trees (Score:4, Interesting)
You can't stream video to an AirPort Express, so there's no new analog hole for video content.
Even with protected audio content, you could still burn this to a CD as Red Book CDDA audio, which you could then freely "Rip, Mix, Burn" so it hasn't really enabled anything new for audio either.
What it does allow for is replacing a dead AirPort Express with something more reliable. Those little fuckers (earlier models at least) had a very bad habit of just randomly dying, and usually after a bit more than one year old, conveniently out of warranty. The fault was 200V rated capacitors used in the power supply that were fine in a 110V supply area but eventually died when on 240V...
Re: (Score:2)
Slashdotted. The entire server appears down, not just the page.
Re: (Score:2)
Re:Slashdotter already (Score:4, Funny)
What is there to understand?
His girlfriend was the director of programming for Fox and changed the time slot for House. This made her Airport Express mad at her, so it is withholding sex with her other wireless access point as punishment.
I mean, jeez. How hard can it be to understand? Seems pretty straightforward to me.
Re: (Score:2)
well the whole server seems to be down so I'd go with a simple slashdotting.
Re:Slashdotter already (Score:5, Informative)
Here's the key on the VideoLan boards.
Airport RSA Key [videolan.org]
THE KEY (Score:2)
Re:Slashdotter already (Score:5, Informative)
And here's a post which may or may not receive a takedown notice from Apple. Remove the extra spaces inserted to evade the lameness filter.
-----BEGIN RSA PRIVATE KEY----- /+sG+NCK3eQJVxqcaJ/vEHKIVd 2M+5qL71yJQ+87X6oV3eaYvt3zWZYD6z5vYTcrtij2VZ9Zmni/
MIIEpQIBAAKCAQEA59dE8qLie ItsH1WgjrcFRKj6eUWqi+bGLOX1HL3U3GhC/j0Qg90u3sG/1CUt
wC5vOYvfDmFI6oSFXi5ELabWJ mT2dKHzBJKa3k9ok+8t9ucRqMd6DZHJ2YCCLlDRKSKv6kDqnw4U
wPdpOMXziC/AMj3Z/lUVX1G7W SHCAWKf1zNS1eLvqr+boEjXuBOitnZ/bDzPHrTOZz0Dew0uowxf
UAaHqn9JdsBWLUEpVviYnhimN VvYFZeCXg/IdTQ+x4IRdiXNv5hEewIDAQABAoIBAQDl8Axy9XfW
BLmkzkEiqoSwF0PsmVrPzH9Ks nwLGH+QZlvjWd8SWYGN7u1507HvhF5N3drJoVU3O14nDY4TFQAa
LlJ9VM35AApXaLyY1ERrN7u9AL Kd2LUwYhM7Km539O4yUFYikE2nIPscEsA5ltpxOgUGCY7b7ez5
NtD6nL1ZKauw7aNXmVAvmJTcuP xWmoktF3gDJKK2wxZuNGcJE0uFQEG4Z3BrWP7yoNuSK3dii2jm
lpPHr0O/KnPQtzI3eguhe0TwUem/e YSdyzMyVx/YpwkzwtYL3sR5k0o9rKQLtvLzfAqdBxBurciz
aaA/L0HIgAmOit1GJA2saMxTVPNh AoGBAPfgv1oeZxgxmotiCcMXFEQEWflzhWYTsXrhUIuz5jFu
a39GLS99ZEErhLdrwj8rDDViRVJ5s kOp9zFvlYAHs0xh92ji1E7V/ysnKBfsMrPkk5KSKPrnjndM
oPdevWnVkgJ5jxFuNgxkOLMuG9i53 B4yMvDTCRiIPMQ++N2iLDaRAoGBAO9v//mU8eVkQaoANf0Z
oMjW8CN4xwWA2cSEIHkd9AfFkftuv8 oyLDCG3ZAf0vrhrrtkrfa7ef+AUb69DNggq4mHQAYBp7L+
k5DKzJrKuO0r+R0YbY9pZD1+/g9dVt9 1d6LQNepUE/yY2PP5CNoFmjedpLHMOPFdVgqDzDFxU8hL
AoGBANDrr7xAJbqBjHVwIzQ4To9pb4B NeqDndk5Qe7fT3+/H1njGaC0/rXE0Qb7q5ySgnsCb3DvA
cJyRM9SJ7OKlGt0FMSdJD5KG0XPIpA VNwgpXXH5MDJg09KHeh0kXo+QA6viFBi21y340NonnEfdf
54PX4ZGS/Xac1UK+pLkBB+zRAoGAf0 AY3H3qKS2lMEI4bzEFoHeK3G895pDaK3TFBVmD7fV0Zhov
17fegFPMwOII8MisYm9ZfT2Z0s5Ro3s5r kt+nvLAdfC/PYPKzTLalpGSwomSNYJcB9HNMlmhkGzc
1JnLYT4iyUyx6pcZBmCd8bD0iwY/FzcgN DaUmbX9+XDvRA0CgYEAkE7pIPlE71qvfJQgoA9em0gI
LAuE4Pu13aKiJnfft7hIjbK+5kyb3TysZvoyD nb3HOKvInK7vXbKuU4ISgxB2bB3HcYzQMGsz1qJ
2gG0N5hvJpzwwhbhXqFKA4zaaSrw622wD niAK5MlIE0tIAKKP4yxNGjoD2QYjhBGuhvkWKaXTyY=
-----END RSA PRIVATE KEY-----
Re:Slashdotter already (Score:5, Funny)
Re: (Score:2)
Re:Slashdotter already (Score:5, Funny)
What the hell do you have in your luggage that needs THAT?!?
An Airport Express Station.
Re:Slashdotter already (Score:5, Funny)
Thanks for that. One thing about getting older is that your memory doesn't dish up all the bits you need on time. So you end up having conversations like this:
Me: Hahaha!
Wife: What's so funny?
Me: Look what this guy wrote: 'That's amazing! I've got the same combination on my luggage!' Haha!
Wife: Why is that funny?
Me [frowning]: I don't know.
Re:Slashdotter already (Score:5, Funny)
No one time pad. Less space than a TrueCrypt container. Lame.
Re: (Score:2)
I can load that article from a number of sources that Google throws up - but none of them actually give the key.
Re: (Score:2)
Re:Editor ? (Score:5, Funny)
Two things that appear to be true about the author of the article and not about you:
1. The author's first language was not English
2. The author has a girlfriend.
Between English tenses and a hot European chick, I know which one I'd prefer to be conjugating.
Re: (Score:2)
This being Slashdot, we know the answer is English tenses.
Re: (Score:2)
Glad that wasn't just me.
Re: (Score:2)
Re: (Score:2)
How long before we see some hacked firmware for normal routers, I wonder?
That's a great idea... but I can't seem to find the audio-out on my Linksys router ...
Re: (Score:2)
How long before we see some hacked firmware for normal routers, I wonder?
That's a great idea... but I can't seem to find the audio-out on my Linksys router ...
You need wifi-enabled headphones.
Re: (Score:2)
You can get a cheap USB sound card for $15 that'll give you outputs. Presumably if you're running a linux-based firmware, there should be some acceptable driver/hardware combination for this. I have a switch behind my stereo to split things up for the 360, ps3, etc. It'd be rather nice to have airplay support going directly from the router into the receiver. I can't wait to see someone hack this together!
Re: (Score:3)
If Apple follows the same tactics as Sony, then he doesn't need to worry. People will come around to remove his harddrives for him soon enough!
Re: (Score:3)
Re: (Score:3)
Either by plugging into a programming interface, or if there is none by removing the ROM chip from its socket or de-soldering it and then reading it with a special device. You do know the basic gist of how a ROM works? You give it voltage, a clock, and an address, and you get a single unit of memory (byte or word). You record the contents of that memory cell, increment the address counter, pulse the clock, and you get the next unit of memory. Etc. Obviously you use a computerized device that does that autom