Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Encryption Networking Television Wireless Networking Apple

Apple AirPlay Private Key Exposed 306

An anonymous reader writes "James Laird has reverse engineered the Airport Express private key and published an open source AirPort Express emulator. 'My girlfriend moved house, and her Airport Express no longer made it with her wireless access point. I figured it'd be easy to find an ApEx emulator — there are several open source apps out there to play to them. However, I was disappointed to find that Apple used a public-key crypto scheme, and there's a private key hiding inside the ApEx. So I took it apart (I still have scars from opening the glued case!), dumped the ROM, and reverse engineered the keys out of it.'"
This discussion has been archived. No new comments can be posted.

Apple AirPlay Private Key Exposed

Comments Filter:
  • Apple-time (Score:4, Interesting)

    by sanosuke001 ( 640243 ) on Monday April 11, 2011 @09:42AM (#35780672)
    Apple is going to make life a royal pain in the ass for this guy for releasing this publicly...
    • You mean he is going to have to go on vacation as well?

      Let's see whether Apple or Sony works out to be the biggest pains when it comes to having their keys exposed.

      • by Mia'cova ( 691309 ) on Monday April 11, 2011 @10:21AM (#35781210)

        Let's see someone add airplay support to the ps3. See how many companies can get pissed off at once. If you play it right, they could be goaded into fighting each other. Fingers crossed! Maybe these companies will finally deliver something entertaining to watch :)

    • by ceoyoyo ( 59147 )

      I doubt it. I think Apple has gotten tired of encrypting AirTunes anyway. Despite the title of the article, AirPlay is not encrypted - only the music portion which is really AirTunes. So it was easy to write an AirTunes receiver for video and photos but not music, I suspect due mostly to historical reasons.

      • Re:Apple-time (Score:4, Interesting)

        by jimicus ( 737525 ) on Monday April 11, 2011 @12:45PM (#35782922)


        Music. Being streamed in realtime from one wireless device to another.

        Do you know, I rather suspect the reason for the encryption might be less to do with Apple and more to do with a certain industry we all love to hate. Last two initials of the organisation that represents them are AA.

        • by ceoyoyo ( 59147 ) on Monday April 11, 2011 @12:57PM (#35783046)

          Probably. The RIAA had a lot more clout against Apple when the airport express and AirTunes was introduced than they do now though. Apparently Apple isn't worried about the MPAA objecting to their recent negligence in not encrypting the video (and audio associated with video) portion of AirPlay.

    • by guruevi ( 827432 )

      AirTunes (the predecessor to AirPlay) was also 'hacked' and released with even a commercial distributor of software that would work with it (Rogue Amoeba I believe). Apple doesn't so much care about the hacking of their systems, they're probably happy somebody finally did while on the other hand they can claim to the **AA - we implemented your precious DRM so we can keep selling your crap.

  • by MarkRose ( 820682 ) on Monday April 11, 2011 @09:42AM (#35780674) Homepage

    If you extract the ROM out of an Apple device, is that a core dump?

  • by amn108 ( 1231606 ) on Monday April 11, 2011 @09:42AM (#35780676)

    I like how easy he makes it sound :-)

    Things you need to hack the Airport Express:

    1. Girlfriend
    2. A pinch of dissappointment
    3. Wilingness to break open glued Apple casing

  • If only we had more people like this around; people willing and able to void the warranty and hack things. I know there are a few, but every story like this is great. James, good work!

  • Open source win (Score:4, Insightful)

    by jhigh ( 657789 ) on Monday April 11, 2011 @09:43AM (#35780686)
    Score one for the good guys. This is just further proof that security through obscurity is a myth. You cannot expect that keeping everything locked inside your proprietary case is going to keep it secure. The best security is sunlight. Let the community poke and prod at your software and/or hardware and it will only improve your offering.
    • You cannot expect that keeping everything locked inside your proprietary case is going to keep it secure.

      I don't know about that... there are plenty of ways to build a really strong case as such that if it's broken open whatever is inside is completely destroyed.

      • by zill ( 1690130 )
        But will these techniques be employed in a product that costs $20 to manufacture and retails for $100? Probably not.
        • Re: (Score:3, Insightful)

          by queazocotal ( 915608 )

          Yes. Eventually.
          Reverse engineering and hacking closed stuff is ____NOT___ a victory.
          It sends the wrong signals.
          'Protected stuff sells just fine'.
          'We don't need to worry about little guys stealing our market as the nerds can hack our cheap boxes'.
          'Appeasing content providers is an easy buisness model'

          The problem with hacking is that it's getting easier to protect stuff.
          A decade ago, if you were making a router, you had little choice to make it from a CPU chip, a ROM chip, and a RAM chip.
          All soldered to a bo

    • Re:Open source win (Score:5, Insightful)

      by agentgonzo ( 1026204 ) on Monday April 11, 2011 @10:35AM (#35781352)

      This is just further proof that security through obscurity is a myth.

      Unfortunately, you can boil the entirety of information theory to 'security through obscurity'. Airplay uses public key encryption and is in that sense 'secure'. Everything that needs to read the encrypted content (in this case the airplay device) needs to have the key to decrypt it. Thus you can argue that the whole system is 'security through obscurity' because it is relying on the 'obscurity' of the private key that the end-user can't get access to (unless the pry it open with a butterknife and dump the ROM).

      • by sjames ( 1099 )

        Except that this isn't what is meant by security by obscurity. Knowing the RSA algorithm doesn't allow you to read anything as long as reasonable keys are chosen. Using rot13 for "security" would be security by obscurity. So would using an undocumented protocol or port number.

        This is a related problem that you can't distribute a key widely and keep it to yourself at the same time. You can TRY to limit the uses of the key, but eventually someone cracks the case and obtains it anyway.

        Sony's problem is related

    • I haven't read the post, but my understanding is cracks like this are possible because companies cut corners to get their code running on low end embedded devices. As chips get faster they stop cutting those corners and the hacks go away :(
    • If Apple wants to lock things away, how does going public help? Would the public shoot themselves in the foot by improving the protection on Apple's tools? Would the public help perfect DRM to keep the important stuff locked away from themselves? Or would we just take it and do what *we* want with it? Opening everything may be for the ultimate good, but that's not what Apple cares about. So of course they're going to go with obscurity. Which for-profit businesses are altruistic?
    • You repeat the mantra, but do you understand it?

      How would the open source community solve this problem?

      What version of device authentication doesn't involve having a critical secret key on the device being authenticated? Such a secret is the very basis upon which authentication works.

      The only possible solution to this that I know if is different hardware that guards the key better and I don't know that the open source community is going to provide that.

  • I don't see anywhere where is says it's the AirPlay private key. I thought that was on a per device basis anyway.
  • I fear this guy will likely get himself a lawsuit or a restraining order for his troubles.

    Pretty much any major company is going to react badly to you publishing their private keys for their encryption.

    • If they don't want their private keys being made public, perhaps they should not be giving them out [slashdot.org]. Private keys are meant to be kept private.
    • by jrumney ( 197329 ) on Monday April 11, 2011 @10:41AM (#35781428)
      The DCMA has an exception for reverse engineering for compatibility. In this case, the private key is not protecting content, it is protecting Apple's monopoly on interoperating with iDevices in a particular way, so it was fair game.
      • You may be right, but that doesn't mean that he would not be required to prove it in a court of law. 's why SLAPP legislation exists as well. Don't like what someone is doing? Sue them. Either you run them out of money and roll over them in court, or they settle "your way".

      • Since when has that ever stopped companies from initiating pointless lawsuits?
      • Re: (Score:3, Informative)

        In this case, the private key is not protecting content

        It does protect content, somewhat—iTunes decrypts (and decompresses and recompresses as Apple Lossless) DRMed audio before sending it to an Airport Express. Emulating an Airport Express allows one to obtain the decrypted audio, though not in its original oompressed form; it's no more of a hole than burning to a CD.

  • DMCA violation (Score:4, Insightful)

    by sideslash ( 1865434 ) on Monday April 11, 2011 @09:45AM (#35780714)
    This guy should just meekly accept that his girlfriend's expensive gadgets don't work for her anymore. How dare he tinker around and fix things. (At least I think they imported some flavor of the DMCA down under.)
  • by gblues ( 90260 ) on Monday April 11, 2011 @09:48AM (#35780760)

    Does this mean we can finally get an iTunes-alike that can work with iTunes 7+ library sharing?

    • Aren't there *open*, non-proprietary protocols that are a better choice for streaming music and video?
      • by ari_j ( 90255 )
        Don't ask. Tell. What protocol should we be using that allows us to use one relatively clean user interface on the computer to purchase, play, and stream audio and video content including movie rentals and television show subscriptions (iTunes) that quickly and easily, without nerd intervention, can also send content to our television through an inexpensive set-top box (Apple TV), to our stereo through a reasonably-priced wireless access point (Airport Express), or to our hands through a tablet (iPad)?
  • i know it's more than just a cheap wifi router, but how many people care and are willing to pay the $180 price tag?

    • by characterZer0 ( 138196 ) on Monday April 11, 2011 @10:04AM (#35780990)

      I bought one once. I set up the network for a small organization and every time there was any kind of problem they blamed the WiFi router and called me. I bought a Airport and threw that in there instead. Now they have just as many problems but they assume that the Apple product cannot possibly be the issue, and I have not received a complaint from them since. It has been a almost two years. It was well worth the $180 to me.

    • The airport express is 99 bucks I believe. If my stupid work firewall didn't block the "apple everything" then I could look and see. I know I've seen them for $89 and $79 at times... Throw 3 or 4 around your house, they're awesome just for the airplay aspect, regardless of the other features (router, printer sharing).
    • by necro81 ( 917438 )
      He was specifically referring to the Airport Express, which retails for $99. [link [apple.com]]

      And for that pricetag, you get the ability to stream music from basically any device on the network (server, laptop, iPhone, etc.) to wherever the Airport is. You also get wireless printing.

      I shouldn't be surprised that a guy, when confronted with a broken Airport Express, would go through all the effort of breaking it open, dumping the ROM, and reverse engineering the private key. People get curious, people like to t
    • by Henriok ( 6762 )
      The AirPort Express cost $99 as do an Apple TV.
    • The airport express is $99 [apple.com] and is one of the few consumer routers that properly supports ipv6 [networkworld.com]
  • by pinkishpunk ( 1461107 ) on Monday April 11, 2011 @09:51AM (#35780828)
    he did a post to the vlc-devel list here, http://mailman.videolan.org/pipermail/vlc-devel/2011-April/079616.html [videolan.org] It private rsa key is there, might be a good thing to download, if you are worried apple might do something stupid.
  • by pixline ( 2028580 ) on Monday April 11, 2011 @09:53AM (#35780868)
    Here's the code you would have find on that page. I saved it earlier, here you go: http://www.multiupload.com/0EUN2QKDMT [multiupload.com] (Yes, it does include something like a private key. Don't ask me if it's THAT key, I don't know.)
  • The best part (Score:5, Interesting)

    by AK76 ( 966804 ) on Monday April 11, 2011 @10:00AM (#35780948)
    From the README:
    "Thanks also to Apple for obfuscating the private key in the ROM image, using a
    scheme that made the deobfuscation code itself stand out like a flare."
    • by tivoKlr ( 659818 )
      This kind of snark is exactly why Apple legal will be conversing with this fellow shortly. It's too bad really, airplay should be incorporated into every device both as a "pitcher and a catcher", regardless of the typical end use of the device.
  • Is it actually "reverse engineering" if you scrape the data off the ROM? It sounds like the phrase "reverse engineering" is just being used to avoid a DMCA attack.
    • The ROM doesn't just contain data; it contains both code and data. Reverse engineering the code was necessary to determine where in the code/data the private key was located. They could have put it anywhere on the ROM.

    • by daid303 ( 843777 )

      The key was obfuscated in the ROM. So having just the ROM data wasn't enough.

  • Very cool hack! (Score:3, Insightful)

    by GameboyRMH ( 1153867 ) <gameboyrmh@NoSpam.gmail.com> on Monday April 11, 2011 @10:06AM (#35781024) Journal

    Now what the hell's an AirPlay and what good is it to me?

    Oh, it's an Apple-proprietary media streaming protocol? Well, I give an A+ for l33tness, but an F for choosing a useful target.

  • by sheetzam ( 454981 ) on Monday April 11, 2011 @10:09AM (#35781056) Homepage

    http://mafipulation.org/static/shairport-0.02.tar.gz [mafipulation.org]. c source code and perl script included. Link still working as I post this.

  • So, was she impressed?

  • What does it do? (Score:4, Interesting)

    by the_other_chewey ( 1119125 ) on Monday April 11, 2011 @10:31AM (#35781300)
    Could someone familiar with Apple stuff please explain
    what exactly this key is for?

    Why would a wifi AP need a secret key?
    • Re:What does it do? (Score:5, Informative)

      by ceoyoyo ( 59147 ) on Monday April 11, 2011 @11:25AM (#35781934)

      The Airport Express AP has an audio out jack. An iPhone, iPod Touch, iPad or iTunes can route music to that device. Unfortunately when it was introduced Apple decided to encrypt the stream so only Airport Expresses were valid receivers. Now anything that has a network connection and can run a program can be the receiver.

  • by martijnd ( 148684 ) on Monday April 11, 2011 @10:44AM (#35781450)

    From: http://www.cocoadev.com/index.pl?AirTunesEncryption

    The Apple-Challenge / Apple-Response is iTunes' method to verify that it's talking to an Airport Express; it may be similar to the DAAP one which has been reverse-engineered. These headers are optional when talking to the Airport Express, so it's possible for other programs to talk to the Express but it'll be difficult to get iTunes to talk to something other than the Airport Express.

    Until we get the private key out of the AirPortExpress, it's not possible to convince iTunes to send anything to a non-AirPortExpress client (say, another computer pretending to be an AirPortExpress).

    Seems that problem has now been solved.

    • by awtbfb ( 586638 ) on Monday April 11, 2011 @12:59PM (#35783064)
      Everyone is looking at the tree, not the forest. While everyone is going to jump on the "Apple did this to make money" argument, you know a major reason for this key was Apple's way of keeping content providers happy. Now that it's broken, there is a new "analog hole" for audio and video content. It is easy to imagine a computer using this to create a digital media file rather than routing to speakers. I suspect it won't be long before content providers pressure Apple into using secondary data to confirm iTunes is talking to a legit device.
      • You can't stream video to an AirPort Express, so there's no new analog hole for video content.
        Even with protected audio content, you could still burn this to a CD as Red Book CDDA audio, which you could then freely "Rip, Mix, Burn" so it hasn't really enabled anything new for audio either.

        What it does allow for is replacing a dead AirPort Express with something more reliable. Those little fuckers (earlier models at least) had a very bad habit of just randomly dying, and usually after a bit more than one year old, conveniently out of warranty. The fault was 200V rated capacitors used in the power supply that were fine in a 110V supply area but eventually died when on 240V...

This process can check if this value is zero, and if it is, it does something child-like. -- Forbes Burkowski, CS 454, University of Washington