Security researchers say they can extract a user's phone number from the Bluetooth traffic coming from an iPhone smartphone during certain operations.
The attack works because, when Bluetooth is enabled on an Apple device, the device sends BLE (Bluetooth Low Energy) packets in all directions, broadcasting the device's position and various details.
This behavior is part of the Apple Wireless Direct Link (AWDL), a protocol that can work either via WiFi or BLE to interconnect and allow data transfers between nearby devices.
Previous academic research has revealed that AWDL BLE traffic contains device identification details such as the phone status, Wi-Fi status, OS version, buffer availability, and others.
However, in new research published last week, security researchers from Hexway said that during certain operations these BLE packets can also contain a SHA256 hash of the device's phone number.
"Only the first 3 bytes of the hashes are sent, but that's enough to identify your phone number," researchers said.
Since phone numbers have pretty strict formatting, attackers can use pre-calculated hash tables to recover the rest of the phone number.
According to Hexway, BLE traffic containing phone number hashes can be captured by malicious actors when a user is using AirDrop to share a file with another user, when a user's phone is trying to share a WiFi password, or when a user is asked to share a WiFi password by a contact.
"Our research reveals the possibility of phone number extraction not only while using AirDrop but also while using other functions, like WiFi network connection," Dmitry Chastuhin, security researcher at Hexway, told ZDNet.
Perfect for targeted attacks; pervasive user tracking -- not so much
Over the past few years, the world has learned that big retail chains track the movements and shopping habits of their in-store customers using phones' WiFi signals.
Tying each device to a real-world phone number would be a boon for the efficiency of in-store tracking. However, unless users start sharing files and WiFi passwords inside stores, the Hexway findings aren't an immediate danger to users' privacy -- at least in a mass-tracking scenario.
Nevertheless, these issues should not be ignored or played down in the case of other situations.
"Actually, there are a few ways to exploit the issue," Chastuhin told ZDNet.
Most of these ways revolve around social engineering and could be very successful when aimed at one individual at a time, as part of targeted attacks, in special venues or circumstances.
"Someone could attend any conference (from ethical hacking events to government round tables) and collect information about its attendees," Chastuhin told us.
In addition, the attacks are also easy to carry out at a technical level, and Chastuhin has published tools on GitHub that automate this process.
"The tools are easy to use," the researcher said. "All you need is just a person with a laptop and Bluetooth and WiFi adapters and enough people with Apple devices using BLE."
And as a side-effect, Chastuhin said his tools could also be used to "catch students, who use AirPods to cheat on exams, and catch people sending abusive content through AirDrop," both of which have become quite common practices these days.
ore vulnerability reports:
- Urgent11 security flaws impact routers, printers, SCADA, and many IoT devices
- US company selling weaponized BlueKeep exploit
- DHS warns about CAN bus vulnerabilities in small aircraft
- Google researchers disclose vulnerabilities for 'interactionless' iOS attacks
- Apple's AWDL protocol plagued by flaws that enable tracking and MitM attacks
- Windows zero-days don't usually work against the latest OS version
- KRACK attack: Here's how companies are responding CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic