AWDL flaws open Apple users to tracking, MitM, malware planting

Vulnerabilities in Apple Wireless Direct Link (AWDL), the wireless protocol that underpins Apple’s AirPlay and AirDrop services, could allow attackers to track users in spite of MAC randomization, to intercept and modify transmitted files, and to prevent transmission or crash devices altogether.

Apple has already fixed one of the DoS vulnerabilities, but the other holes are not that easy to plug.

What is AWDL?

“With deployments on over one billion devices, spanning several Apple operating systems (iOS, macOS, tvOS, and watchOS) and an increasing variety of devices (Mac, iPhone, iPad, Apple Watch, Apple TV, and HomePod), Apple Wireless Direct Link (AWDL) is ubiquitous and plays a key role in enabling device-to-device communications in the Apple ecosystem,” researchers from TU Darmstadt and Northeastern University explained.

AWDL is a extension of the IEEE 802.11 (Wi-Fi) standard and integrates with Bluetooth Low Energy (BLE), and its proprietary nature apparently prevented security and privacy analysis – until now, that is.

To performe the analysis, TU Darmstadt and Northeastern University researchers have analyzed patents and reverse-engineered Airdrop, which runs on top of AWDL.

They have also implemented open versions of AWDL and AirDrop and made them available as open source software to stimulate future research in this area.

Possible attacks

The unearthed vulnerabilities affect AirDrop’s BLE discovery mechanism, AWDL synchronization, UI design, and Wi-Fi driver implementation.

The attackers demonstrated several attacks:

• A long-term device tracking attack that isn’t stymied by MAC address randomization and may, in most cases, reveal personal information such as the name of the device owner
• A MitM attack that allows for interception and modification of files transmitted via AirDrop, effectively allowing for planting malicious files.
• A DoS attack that works by desynchronizing the targets’ channel sequences
• Two DoS attacks on Apple’s AWDL implementations in the Wi-Fi driver, which can crash Apple devices (one or more) by injecting specially crafted frames.

In this video, they demonstrated the MitM attack on Apple AirDrop by successfully modifying a photo in transit:

The attacks can be stealthy and can be launched by devices not connected to the target Wi-Fi network, the researchers pointed out.

They can also be extremely cheap to pull off: all one needs is a low-cost ($20) micro:bit device and an off-the-shelf Wi-Fi card.

What else? What now?

Apple has been notified of these vulnerabilities and has fixed one DoS bug, but to address the rest they have to redesign some of their services.

The researchers also noted that their findings have implications for the non-Apple world: since the Wi-Fi Alliance adopted AWDL as the basis for Neighbor Awareness Networking (NAN, aka Wi-Fi Aware), that protocol might be also susceptible to similar attacks.

The researchers have put forward practical mitigations for all four attacks they demonstrated, but the only thing that end users can do to protect themselves is to disable AirDrop – and that only prevents tracking via AWDL.

Unfortunately, there generally seems to be no shortage of flaws that can be used for tracking users: a few weeks ago, a group of researchers from Boston University detailed several BLE-based vulnerabilities that could expose users of iDevices, MacBooks, Microsoft tablets and laptops to the risk of being tracked and identified by unwanted adversaries, despite privacy protecting measures already in place.