1 / 18

AWDL: Apple's Wireless Direct Link

A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through AppleWireless Direct Link (AWDL). Milan Stute 1 , Sashank Narain 2 , Alex Mariotto, Alexander Heinrich, and David Kreitschmann, Guevara Noubir, Matthias Hollick.

virginiaw
Download Presentation

AWDL: Apple's Wireless Direct Link

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Billion Open Interfaces for Eve and Mallory:MitM, DoS, and Tracking Attacks oniOS and macOS Through AppleWireless Direct Link (AWDL) Milan Stute1, Sashank Narain2, Alex Mariotto, Alexander Heinrich, and David Kreitschmann, Guevara Noubir, Matthias Hollick

  2. AWDL: Apple's Wireless Direct Link “The limitations of IBSS mode (and its Wi-Fi infrastructure predecessors) led the Wi-Fi Alliance to define Wi-Fi Direct. Further, due to concerns regarding Wi-Fi Direct, Apple Wireless Direct Link (AWDL) was developed by Apple and eventually adopted by the Wi-Fi Alliance as the basis for Neighbor Awareness Networking (NAN).” • A Low latency/high speed WiFi peer-to peer-connection • An Instance of “Wifi Direct” Standard • Like IEEE 802.11 Standard, it uses channels to separate signals • Physical Layer and Data Link Layer in the OSI Model AWDL

  3. AWDL: Channels • Channel information is in the form of Available Windows (AW). • AW: Sequence of 16 channel numbers • Each channel takes 64 Time Unit. • Each Time Unit(TU) takes 1024 μs • Each Period (τ) takes 1024*64*16 ≈ 1 s

  4. AWDL: Sychronization Master WORKFLOW: Elect a Master Sychronize to Master's clock by sending Action Frame (AF) Communicate only in the same channel Sychronize Sychronize Node1 Node2 Communicate Action Frame (AF): Data frame sent when ADWL starts. It contains: 1. Sychronization Parameters: AW, time until next AW starts 2. Sensitive Informations: MAC address, AP, hostname, device class, AWDL protocol version.

  5. One AWDL Application: Airdrop In a nutshell, AirDrop is an ad-hoc service enabling the transfer of files over Wi-Fi and Bluetooth. Airdrop uses BLE advertisement to discover, AWDL to communicate. Airdrop's Workflow is divided in three parts: Discovery, Authentication and Data Transfer

  6. Airdrop: Permission Mode

  7. Airdrop: How to Discover? 16 bit Sender's Contact identifiers, like e-mail address or #Tel 1 2 Bluetooth 3 AWDL 4 Communicate via the same channel 5 Locate Airdrop Service IP

  8. Airdrop: How to Authenticate? 1 2 3 TLS connection and HTTPS are secure enough!

  9. Airdrop: How to Transfer? 1 3 2

  10. Attacks: Overview • 1. Privacy Leaks: • Goal: Associate Username and MAC address • How: Sensitive information in AF Bluetooth + AWDL • 2. Denial of Service by Desynchronization: • Goal: Prevent Synchronization process • How: Send different synchronization parameters to either targets AWDL • 3. Man in the Middle Attack: • Goal: Modify files transferred by Airdrop • How: Prevent sender from authenticating to receiver. Attacker pretend to be sender and relay sender’s ask request and modify sender’s upload request. Airdrop • 4. Denial of Service by Rebooting: • Goal: Reboot target devices • How: Send corrupted AF AWDL

  11. Attacks: Privacy Leak • Goal: To Match Username and MAC address • WORKFLOW 1. Devices send AF upon BLE advertisement · Everyone mode: Upon any BLE advertisement · Contacts-only: When contact identifiers match 2. Brute forcing a 16-bit search space if contacts-only · Customizing BLE advertisement sender for efficiency 3. Capture sensitive information in AWDL specific fields, because they are sent in the clear AWDL protocol: MAC randomization Hostname, MAC address, AP, Version Info Data AWDL specific fields IEEE 802.11 header

  12. Attacks: Privacy Leak • PERFORMANCE

  13. Attacks: DoS by Desynchronization • Goal: To Prevent Synchronization • WORKFLOW 1. Attacker Wins Master Election where c increases over time when a node is elected as master, mis a random number 2. Sending different Synchronization Parameters via AF • PERFORMANCE

  14. Attacks: Man in the Middle • Goal: Modify Airdrop Data Transferred • WORKFLOW 1 2 3 4 Relay Modify

  15. Attacks: Man in the Middle • Demo

  16. Attacks: DoS by Rebooting • Goal: To Reboot Target Devices • WORKFLOW 1. Send Corrupted AF • Demo

  17. Q & A • Q: How is the attacker even able to communicate using Apple’s proprietary AWDL protocol? • A: Open Wireless Link project Self Implementation of Airdrop and AWDL

  18. Future Work? • Further reading: • AWDL is used in Apple’s Homepod • Possible attacks?

More Related