Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Desktops (Apple) IOS OS X Wireless Networking Apple IT

Apple's AWDL Protocol Plagued By Flaws That Enable Tracking and MitM Attacks (zdnet.com) 56

Apple Wireless Direct Link (AWDL), a protocol installed on over 1.2 billion Apple devices, contains vulnerabilities that enable attackers to track users, crash devices, or intercept files transferred between devices via man-in-the-middle (MitM) attacks. From a report: These are the findings of a research project that started last year at the Technical University of Darmstadt, in Germany, and has recently concluded, and whose findings researchers will be presenting later this month at a security conference in the US. The project sought to analyze the Apple Wireless Direct Link (AWDL), a protocol that Apple rolled out in 2014 and which also plays a key role in enabling device-to-device communications in the Apple ecosystem. While most Apple end users might not be aware of the protocol's existence, AWDL is at the core of Apple services like AirPlay and AirDrop, and Apple has been including AWDL by default on all devices the company has been selling, such as Macs, iPhones, iPads, Apple watches, Apple TVs, and HomePods. But in the past five years, Apple has never published any in-depth technical details about how AWDL works. This, in turn, has resulted in very few security researchers looking at AWDL for bugs or implementation errors.
This discussion has been archived. No new comments can be posted.

Apple's AWDL Protocol Plagued By Flaws That Enable Tracking and MitM Attacks

Comments Filter:
  • by Anonymous Coward

    this will be fixed on millions of devices within the month

    • by dgatwood ( 11270 ) on Tuesday July 30, 2019 @03:30PM (#59013986) Homepage Journal

      this will be fixed on millions of devices within the month

      And left permanently unfixed on any device that won't run the latest version of iOS. Also, from all indications, this probably cannot be fixed without breaking backwards compatibility, which means that it won't be possible to use AirDrop or multipeer connectivity between current iOS devices and previous iOS devices. So this is yet another backwards-incompatible change to AirDrop. *bangs head repeatedly against wall*

      This is just another example of Apple's secrecy directly hurting their customers. Apple has basically only created three interesting networking protocols in recent memory: mDNS, AWDL, and FaceTime. Of those, mDNS is open source, and the other two BOTH have had major security holes that have catastrophically harmed user privacy and security.

      IMO, proprietary protocols should automatically be assumed unsafe, period. Had Apple opened up these protocols immediately to public scrutiny, as they should have — as Apple promised in the case of FaceTime — these problems would have been found much sooner, and wouldn't have become a crisis. Instead, they are/were crises. And the only reason for these privacy-damaging mistakes is that Apple's upper management is more concerned about keeping these protocols private and avoiding compatibility with Android than about actually protecting their customers' privacy and security.

      For shame, Apple. For shame.

      To make matters worse, had Apple not rushed their technology to market, they could have used the Wi-Fi Direct open standard like Android does, and avoided all of these problems. But the good news is that it's not too late to throw out AWDL and start over with open standards. They have to break compatibility anyway, so why not do it right this time?

      Yeah, I'm not holding my breath, either.

  • Apple touts security and privacy, they need to fix this ASAP. I personally don't use these options... hell I almost never use WiFi on my phone, but a ton of the general populace does use all of those options.

    • Apple touts security and privacy, they need to fix this ASAP.

      What exactly is someone going to do with a HASH of your phone number?

      That is only released under "certain situations" mind you....

      I'm not even clear this is something that needs fixing. Why? It could be useful for some reason, I'll wait to hear more.

  • Instructions on how to completely disable Airdrop on Macos -- this will actually make it impossible to even open the Airdrop application in the Finder app bundle.

    https://answers.uillinois.edu/... [uillinois.edu]

    Useful, but once disabled, you might wonder where Airdrop went months later if you want to use it temporarily... so keep a note around on how to re-enable it (there's not really an error message or anything, Airdrop is just "greyed out".

    • by Anonymous Coward

      enable and disable scripts

      copy and paste into txt files, rename, chmod +x and add to your $PATH

      disableAirdrop.sh
      #!/bin/bash
      defaults="/usr/bin/defaults"
      sudo="/usr/bin/sudo"
      killall="/usr/bin/killall"

      defaults write com.apple.NetworkBrowser DisableAirDrop -bool YES
      sudo killall -HUP WindowServer
      exit

      enableAirdrop.sh
      #!/bin/bash
      defaults="/usr/bin/defaults"
      sudo="/usr/bin/sudo"
      killall="/usr/bin/killall"

      defaults write com.apple.NetworkBrowser DisableAirDrop -bool NO
      sudo killall -HUP WindowServer
      exit

  • I own a pair of Pixel 2's, and many times they've crashed and rebooted trying to send an image or web page from one to the other via NFC touch.

    Maybe both should pay more attention to this functionality.

  • by Anonymous Coward

    "Apple has never published any in-depth technical details about how AWDL works. This, in turn, has resulted in very few security researchers looking at AWDL for bugs or implementation errors."

  • Who said this wasn't done on purpose? How could the best minds Microsoft can buy continually fuck up on such a royal and consistent basis?
  • When can we get it on Android so we can have these problems too

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...