iPhone Bluetooth traffic leaks phone numbers -- in certain scenarios

The Apple bug that might accidentally help catch people behind the recent malicious AirDrop file sharing epidemic.
Written by Catalin Cimpanu, Contributor

Security researchers say they can extract a user's phone number from the Bluetooth traffic coming from an iPhone smartphone during certain operations.

The attack works because, when Bluetooth is enabled on an Apple device, the device sends BLE (Bluetooth Low Energy) packets in all directions, broadcasting the device's position and various details.

This behavior is part of the Apple Wireless Direct Link (AWDL), a protocol that can work either via WiFi or BLE to interconnect and allow data transfers between nearby devices.

Previous academic research has revealed that AWDL BLE traffic contains device identification details such as the phone status, Wi-Fi status, OS version, buffer availability, and others.

However, in new research published last week, security researchers from Hexway said that during certain operations these BLE packets can also contain a SHA256 hash of the device's phone number.

"Only the first 3 bytes of the hashes are sent, but that's enough to identify your phone number," researchers said.

Since phone numbers have pretty strict formatting, attackers can use pre-calculated hash tables to recover the rest of the phone number.

According to Hexway, BLE traffic containing phone number hashes can be captured by malicious actors when a user is using AirDrop to share a file with another user, when a user's phone is trying to share a WiFi password, or when a user is asked to share a WiFi password by a contact.

"Our research reveals the possibility of phone number extraction not only while using AirDrop but also while using other functions, like WiFi network connection," Dmitry Chastuhin, security researcher at Hexway, told ZDNet.

Perfect for targeted attacks; pervasive user tracking -- not so much

Over the past few years, the world has learned that big retail chains track the movements and shopping habits of their in-store customers using phones' WiFi signals.

Tying each device to a real-world phone number would be a boon for the efficiency of in-store tracking. However, unless users start sharing files and WiFi passwords inside stores, the Hexway findings aren't an immediate danger to users' privacy -- at least in a mass-tracking scenario.

Nevertheless, these issues should not be ignored or played down in the case of other situations.

"Actually, there are a few ways to exploit the issue," Chastuhin told ZDNet.

Most of these ways revolve around social engineering and could be very successful when aimed at one individual at a time, as part of targeted attacks, in special venues or circumstances.

"Someone could attend any conference (from ethical hacking events to government round tables) and collect information about its attendees," Chastuhin told us.

In addition, the attacks are also easy to carry out at a technical level, and Chastuhin has published tools on GitHub that automate this process.

"The tools are easy to use," the researcher said. "All you need is just a person with a laptop and Bluetooth and WiFi adapters and enough people with Apple devices using BLE."

And as a side-effect, Chastuhin said his tools could also be used to "catch students, who use AirPods to cheat on exams, and catch people sending abusive content through AirDrop," both of which have become quite common practices these days.

iOS 13: Things Apple still needs to fix

ore vulnerability reports:

Editorial standards