Apple's AWDL Protocol Plagued By Flaws That Enable Tracking and MitM Attacks (zdnet.com) 56
Apple Wireless Direct Link (AWDL), a protocol installed on over 1.2 billion Apple devices, contains vulnerabilities that enable attackers to track users, crash devices, or intercept files transferred between devices via man-in-the-middle (MitM) attacks. From a report: These are the findings of a research project that started last year at the Technical University of Darmstadt, in Germany, and has recently concluded, and whose findings researchers will be presenting later this month at a security conference in the US. The project sought to analyze the Apple Wireless Direct Link (AWDL), a protocol that Apple rolled out in 2014 and which also plays a key role in enabling device-to-device communications in the Apple ecosystem. While most Apple end users might not be aware of the protocol's existence, AWDL is at the core of Apple services like AirPlay and AirDrop, and Apple has been including AWDL by default on all devices the company has been selling, such as Macs, iPhones, iPads, Apple watches, Apple TVs, and HomePods. But in the past five years, Apple has never published any in-depth technical details about how AWDL works. This, in turn, has resulted in very few security researchers looking at AWDL for bugs or implementation errors.
and unlike Android (Score:1)
this will be fixed on millions of devices within the month
Re:and unlike Android (Score:4, Informative)
this will be fixed on millions of devices within the month
And left permanently unfixed on any device that won't run the latest version of iOS. Also, from all indications, this probably cannot be fixed without breaking backwards compatibility, which means that it won't be possible to use AirDrop or multipeer connectivity between current iOS devices and previous iOS devices. So this is yet another backwards-incompatible change to AirDrop. *bangs head repeatedly against wall*
This is just another example of Apple's secrecy directly hurting their customers. Apple has basically only created three interesting networking protocols in recent memory: mDNS, AWDL, and FaceTime. Of those, mDNS is open source, and the other two BOTH have had major security holes that have catastrophically harmed user privacy and security.
IMO, proprietary protocols should automatically be assumed unsafe, period. Had Apple opened up these protocols immediately to public scrutiny, as they should have — as Apple promised in the case of FaceTime — these problems would have been found much sooner, and wouldn't have become a crisis. Instead, they are/were crises. And the only reason for these privacy-damaging mistakes is that Apple's upper management is more concerned about keeping these protocols private and avoiding compatibility with Android than about actually protecting their customers' privacy and security.
For shame, Apple. For shame.
To make matters worse, had Apple not rushed their technology to market, they could have used the Wi-Fi Direct open standard like Android does, and avoided all of these problems. But the good news is that it's not too late to throw out AWDL and start over with open standards. They have to break compatibility anyway, so why not do it right this time?
Yeah, I'm not holding my breath, either.
Re: (Score:1)
If I had mo points, I would mod your post a troll. Not a particularly good one though.
Android has myriads of security issues. https://www.cvedetails.com/vul... [cvedetails.com] is a non-exhaustive list.
Android has generally three sources of security issues:
1. Issues in underlying Open Source code.
2. Issues in Google created code.
3. Issues in code contributed by the device manufacturer.
None of these three entities has ever written quality code. The underlying code seems to be the best quality. The others are unable to write
Why new protocols (Score:3)
Why do people create new protocols? What's missing from old ones? I'm assuming the issue has something to do with speed. putting your new comms and a layer stacked over an older one (say UDP) results in seeming inefficiency. Of course part of that inefficiciency is all the security issues that are patched correctly in the old protocol.
But what is it about airplay or anything that they needed a new one. Why wasn't some existing blue tooth or zeroconf protocol sufficient.
I'm talking here from ignorance n
Re: (Score:2)
Why do people create new protocols?
NIH.
Also... Well we could use {thing} or.....we could reinvent the wheel and charge people to use OUR version of {thing}!
Re: (Score:2)
The need for different protocols, is because how the data is being used may be different, also features come up that may make the old protocall unusable or impractical.
The client may know particular things so performance can be saved by not spelling it out.
If I had a fictional protocol that sends a string like the following. "Bananas in Bowl on Table" Now if the client knows what Bananas, Bowl and Table are and knows what do do with "in" and "on" then we are good. As we can generate a lot of data with a
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: Why new protocols (Score:2)
You'd rather have a security hole than a secure device because you don't know of any better way. Apple loves you, I'm sure.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You act like all those limitations matter or are necessary.
Let’s review here: I asked for a protocol that did everything that Apple’s protocol does. You didn’t link a product or specifications. Instead you linked code written in Perl that remotely does not do what the protocol does, it’s not certain that it would work as this isn’t a product.
It sounds like Apple decided to combine several standard protocols' features and didn't bother telling anyone. In a way, a less modular/layered approach is inferior.
To paraphrase your words: Apple combined different features of existing standards. The part you missed: because those existing standards didn’t offer what Apple needed. As for inferior, that
Re:Why new protocols (Score:4, Insightful)
Why do people create new protocols?
Because Mobile peer-to-peer ad-hoc mesh networking represents a future where wireless telcos are less able to control all aspects of your communications, and smartphones still provide functionality when the major carrier networks go down.
Projects like SPAN and B.A.T.M.A.N. are trying to bring this functionality to android in open source, and I think sooner is better than later.
Let's see if many open source eyeballs helps us avoid these problems.
Re: (Score:2)
Basically Wifi Direct (direct comms between wifi devices without an access point mediating) sucked so Apple build some extensions to make it work better. Eventually much of Apple's work was adopted as part of the wifi standard anyway.
The main issue with Bluetooth is that it's slow. It's not really designed for high performance, it's designed to be power efficient and not interfere. For transferring large files or streaming high quality video it's just too slow. Wifi is preferred instead.
Apple's stuff can us
Fix it now!!! (Score:2)
Apple touts security and privacy, they need to fix this ASAP. I personally don't use these options... hell I almost never use WiFi on my phone, but a ton of the general populace does use all of those options.
Did you read the WHOLE SUMARY (Score:1)
Apple touts security and privacy, they need to fix this ASAP.
What exactly is someone going to do with a HASH of your phone number?
That is only released under "certain situations" mind you....
I'm not even clear this is something that needs fixing. Why? It could be useful for some reason, I'll wait to hear more.
The always important "How to disable" link :) (Score:1)
Instructions on how to completely disable Airdrop on Macos -- this will actually make it impossible to even open the Airdrop application in the Finder app bundle.
https://answers.uillinois.edu/... [uillinois.edu]
Useful, but once disabled, you might wonder where Airdrop went months later if you want to use it temporarily... so keep a note around on how to re-enable it (there's not really an error message or anything, Airdrop is just "greyed out".
Re: (Score:1)
enable and disable scripts
copy and paste into txt files, rename, chmod +x and add to your $PATH
disableAirdrop.sh
#!/bin/bash
defaults="/usr/bin/defaults"
sudo="/usr/bin/sudo"
killall="/usr/bin/killall"
defaults write com.apple.NetworkBrowser DisableAirDrop -bool YES
sudo killall -HUP WindowServer
exit
enableAirdrop.sh
#!/bin/bash
defaults="/usr/bin/defaults"
sudo="/usr/bin/sudo"
killall="/usr/bin/killall"
defaults write com.apple.NetworkBrowser DisableAirDrop -bool NO
sudo killall -HUP WindowServer
exit
Google NFC transfer is also buggy (Score:2)
I own a pair of Pixel 2's, and many times they've crashed and rebooted trying to send an image or web page from one to the other via NFC touch.
Maybe both should pay more attention to this functionality.
Open source many eyes argument (Score:1)
"Apple has never published any in-depth technical details about how AWDL works. This, in turn, has resulted in very few security researchers looking at AWDL for bugs or implementation errors."
How can this happen? (Score:1)
Only question (Score:1)
When can we get it on Android so we can have these problems too