Apple's AWDL protocol plagued by flaws that enable tracking and MitM attacks

Apple Wireless Direct Link (AWDL), a protocol installed on over 1.2 billion Apple devices, contains vulnerabilities that enable attackers to track users, crash devices, or intercept files transferred between devices via man-in-the-middle (MitM) attacks.

These are the findings of a research project that started last year at the Technical University of Darmstadt, in Germany, and has recently concluded, and whose findings researchers will be presenting later this month at a security conference in the US.

The project sought to analyze the Apple Wireless Direct Link (AWDL), a protocol that Apple rolled out in 2014 and which also plays a key role in enabling device-to-device communications in the Apple ecosystem.

While most Apple end users might not be aware of the protocol’s existence, AWDL is at the core of Apple services like AirPlay and AirDrop, and Apple has been including AWDL by default on all devices the company has been selling, such as Macs, iPhones, iPads, Apple watches, Apple TVs, and HomePods.

German and US researchers reverse-engineered AWDL

But in the past five years, Apple has never published any in-depth technical details about how AWDL works. This, in turn, has resulted in very few security researchers looking at AWDL for bugs or implementation errors.

However, due to the protocol’s growing ubiquity in the daily lives of all Apple users, in 2018, a team of TU Darmstadt academics — later joined by academics from Boston’s Northeastern University — decided to take a look at AWDL, and how the protocol works.

“Considering the well-known rocky history of wireless protocols’ security, with various flaws being repeatedly discovered in Bluetooth, WEP, WPA2, GSM, UMTS, and LTE, the lack of information regarding AWDL security is a significant concern given the increasing number of services that rely on it,” the research team said.

To study it, researchers reverse-engineered the AWDL protocol and then re-wrote it as a C implementation named OWL (Open Wireless Link), which they later used to test the real AWDL protocol for various attacks.

AWDL vulnerabilities

“Our analysis reveals several security and privacy vulnerabilities ranging from design flaws to implementation bugs enabling different kinds of attacks,” the research team said.

As a result of their work, researchers discovered:

1. A MitM attack which intercepts and modifies files transmitted via AirDrop, effectively allowing for the planting of malicious files.
2. A long-term device tracking attack which works in spite of MAC randomization, and may reveal personal information such as the name of the device owner (over 75% of experiment cases).
3. A DoS attack aiming at the election mechanism of AWDL to deliberately desynchronize the targets’ channel sequences effectively preventing communication with other AWDL devices.
4. Two additional DoS attacks on Apple’s AWDL implementations in the Wi-Fi driver. The attacks allow crashing Apple devices in proximity by injecting specially crafted frames. The attacks can be targeted to a single victim or affectall neighboring devices at the same time.

A demo video of the first attack is embedded below, showing how researchers were able to modify files in transit, sent via an AWDL connection.

While AWDL contained various security features to prevent attackers from establishing MitM rogue connections to legitimate devices without authorization, the research team was able to bypass these systems.

They did this with the help of a TCP reset attack that blocked the AWDL connection and allowed researchers to interpose their $20 hardware rig between the two devices and establish legitimate connections with both the sender and the receiver.

AWDL is ideal for pervasive user tracking

But while MitM attacks are hard to pull off and DoS attacks that crash devices are rarely useful, the AWDL vulnerabilities that allow user tracking are the ones that are truly concerning.

For this attack, the research team said they were able to obtain information from an AWDL connection such as the device hostname, real MAC address (even if the device has MAC address randomization enabled), the AP the device is connected to, the device class (iOS, watchOS, macOS, tvOS, etc.), and AWDL protocol version.

This information, researchers argued, is more than enough to create profiles and track users. Combined with data from online advertisers and analytics providers, it could be used to link devices to their real owners.

The research team worried that AWDL-based tracking technology could be deployed in retail stores or public spaces and track users’ movement through an area.

Some flaws require a protocol/service redesigns

As for patches against these attacks, the research team said they notified Apple of all the vulnerabilities they found, between August and December 2018.

“While Apple was able to issue a fix for a DoS attack vulnerability after our responsible disclosure, the other security and privacy vulnerabilities require the redesign of some of their services,” researchers said.

The fix for the AWDL DoS bug (CVE-2019-8612) rolled out in mid-May, with the release of iOS 12.3, tvOS 12.3, watchOS 5.2.1, and macOS 10.14.5.

The rest of the AWDL vulnerabilities will likely remain exploitable for the foreseeable future.

Some bugs might affect Android devices

Furthermore, the same bugs may also affect Android and other types of devices, researchers warned.

“The impact of these findings goes beyond Apple’s ecosystem as the Wi-Fi Alliance adopted AWDL as the basis for Neighbor Awareness Network-ing (NAN) which, therefore, might be susceptible to similar attacks,” the research team said.

“NAN, commonly known as Wi-Fi Aware, is a new standard supported by Android which draws on AWDL’s design and, thus, might be vulnerable to the similar attacks as presented in [our] work.”

However, this has not been confirmed, and additional research is needed on the impact of these AWDL bugs on real-world Android NAN (Wi-Fi Aware) implementations.

More details about the vulnerabilities described in this article are available in a pre-print white paper named “A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link” that the research team will be presenting at the USENIX security conference in mid-August, in a few weeks time.

More vulnerability reports: