Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Spoofing an Apple device and tricking users into sharing sensitive data

White hat hackers at the recent hacking conference Def Con demonstrated how to spoof an Apple device and trick users into sharing their sensitive data. At the recent Def Con hacking conference, white hat hackers demonstrated how to spoof an Apple device and trick users into sharing their sensitive data. As reported by Techcrunch, attendees […]

apple

White hat hackers at the recent hacking conference Def Con demonstrated how to spoof an Apple device and trick users into sharing their sensitive data.

At the recent Def Con hacking conference, white hat hackers demonstrated how to spoof an Apple device and trick users into sharing their sensitive data.

As reported by Techcrunch, attendees at the conference using iPhones started observing pop-up messages prompting them to connect their Apple ID or share a password with a nearby Apple TV.

The security researcher who goes by Jae Bochs said on Mastodon that the messages were part of their research project.

“Also to offer some reassurance: this was built with two purposes – to remind people to *really shut off* Bluetooth (I.e. not from control center) and to have a laugh.” explained Bochs.

He added that no data was collected and that he was just sending out Bluetooth low energy (BLE) advertisement packets that don’t require pairing.

Bochs used cheap equipment composed of a Raspberry Pi Zero 2 W, two antennas, a Linux-compatible Bluetooth adapter, and a portable battery.

“Bochs estimated that this combination of hardware, excluding the battery, costs around $70 and has a range of 50 feet, or 15 meters.” reported TechCrunch.

“Proximity is determined by BLE signal strength, and it seems most devices intentionally use lowered transmit power for these to keep the range short. I don’t :),” Bochs told TechCrunch.

Bochs focused on “proximity actions,” which appear on an iPhone screen when two devices are close to each other.

He created a proof-of-concept to build a custom advertisement packet that mimics BLE signal emitted by devices such as the Apple TV. Basically, he spoofed an Apple device that tries to repeatedly connect to nearby devices and triggers the pop-ups.

In a real attack scenario, upon tapping and accepting the prompts it will allow threat actors to collect some data from the packets, including phone number, Apple ID email, and current Wi-Fi network.

Even if users tap on the Bluetooth icon, their iPhones will continue to receive proximity actions.

Bochs speculate that these flaws were “certainly by design” to allow smartwatches and headphones to keep working with Bluetooth toggled and Apple won’t address them.

The expert recommends turning Bluetooth off in the device settings to protect the device.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, iPhone)