Attackers can find out the phone number of the iPhone via AirDrop

[Brother]

Hexway's research team was able to determine the user's phone number on an iPhone using AirDrop, a Wi-Fi and Bluetooth file transfer technology developed by Apple. According to hexway, they decided to test whether Apple's slogan "What happens on the iPhone stays on the iPhone" is true. The experts have already published the exploit on GitHub.

The researchers were able to intercept data packets transmitted by devices when Bluetooth was turned on. According to experts, AirDrop transmits encrypted packets with a phone number for the recipient to find in their contacts.

The experts described the stages of a potential attack: an attacker must create a database SHA256 (phone_number): phone_number for a specific region and run a special script, for example, on a laptop while in a public place. When someone tries to use AirDrop, an attacker can intercept the hash of the sender's phone number and recover the number from it. According to hexway, if you contact the user via iMessage, you can determine the name of the owner of the phone. The experts managed to find out the name using TrueCaller, and also found it in the device name.

The researchers also talked about an issue that may arise when using the Share Wi-Fi Password feature on an iPhone. The user needs to select a network from the list, and the device will start sending Bluetooth LE requests to other iPhones, asking them for a password. BLE broadband requests contain user data, namely the SHA256 hash of the phone number, AppleID, and email address. According to experts, only the first 3 bytes of hashes are sent, but that's enough to identify the phone number.

Hexway experts say the problem is not a vulnerability, but rather a consequence of features that power the Apple ecosystem. The described methods work in iOS 10.3.1 and higher, including beta versions of iOS 13. Experts also noted that older devices (all before iPhone 6s) do not send BLE messages continuously, even if they have updated the OS version. Only a limited number of messages are sent, probably Apple is doing this to conserve battery power on older devices.

According to the researchers, the only solution to the problem is to turn off Bluetooth on the device.

 

[Brother]

Thieves have learned to bypass Find iPhone on stolen phones​

When Find My iPhone is disabled, iPhone can be rolled back to factory settings and registered with another Apple ID.

While iPhone theft is commonplace, the Find My feature allows true owners to disable thieves from accessing their phone and prevent factory reset. However, it turns out to be quite easy to get around this feature.

The India Today edition told the story of a user under the pseudonym Vedant, who hopelessly lost his iPhone 12.

The user lost their phone and started taking all the necessary measures, including trying to use the Find iPhone function to find out where the device is. However, it turned out that the iPhone was offline, and the system could not determine its exact location. Vedant activated Lost Mode, filed a police report and blocked the SIM card. When Lost Mode is on, iPhone is locked so that no one can access the information stored on it after it is turned on.

Several days passed and Vedant began to lose hope. Then he received an SMS message, which said that the iPhone was found, and if you follow the specified link, you can find out its location. The link was not suspicious because it contained the words "icloud" and "findmy", but in fact it was created by the phone thieves.

After clicking on the link, an authorization window appeared on the screen, and the unsuspecting Vedant entered his password and Apple ID, which immediately went to the thieves.

A minute after the alleged authorization, the user received an email notification that access to his Apple ID was obtained on a computer running Windows. Vedant tried to change the password and remove the Windows PC from its Apple ID, but it was too late. The kidnappers have already removed the iPhone from Apple ID and disabled Find My iPhone.

The attackers obtained Vedant's phone number by inserting its SIM card into a new device and calling themselves. However, it is not entirely clear why the number from which the link was sent was the same from which Microsoft sends verification codes for two-factor authentication. Most likely, spoofing took place here, which indicates a high professional level of the thieves.

When Find My iPhone is disabled, iPhone can be rolled back to factory settings and registered with another user's Apple ID as if it had been legally acquired.