A $70 homemade device on show at one of the biggest hacking conferences on the planet has revealed how thieves could trick you into handing over your iCloud password (or any other credentials for that matter) without you even noticing.
The makeshift contraption, which looks like something the Joker would use to set off a minor explosion, caused chaos at Def Con as part of a research project designed to “have a laugh” while also revealing to people just how important it is to turn off your Bluetooth properly if you want your iPhone to be safe from unwanted overtures.
As TechCrunch reports, hacker Jae Bochs wandered around Def Con triggering pop-ups on fellow convention guests' phones with the custom-made device, a mish-mash of a Raspberry Pi Zero 2 W, two antennas, a Bluetooth adapter, and a battery.
Thanks to Apple’s Bluetooth low energy protocols, devices can communicate with your iPhone using “proximity actions” to deliver a pop-up on your iPhone. The alert, in this case, took the form of Apple’s ingenious Apple TV Keyboard Password AutoFill feature. The convenient popup normally lets you type passwords for things like your Apple ID, Netflix, and more on your Apple TV using your iPhone’s keyboard, rather than the arrows on your remote.
The device
As it stands, in theory, a device like this could be used to trigger an alert on the iPhone of any unsuspecting person, who might, in a momentary lapse of concentration, enter a password without thinking. This highlights a need to not only be wary of your Bluetooth settings, but also any random popups asking you for passwords or log-in credentials you weren’t expecting.
“Bochs estimated that this combination of hardware, excluding the battery, costs around $70 and has a range of 50 feet, or 15 meters,” the report states. The proof of concept “builds a custom advertisement packet that mimics what Apple TV etc. are constantly emitting at low power,” triggering the pop-ups on nearby devices.
Of course, as a practical joke/warning exercise, Bochs’ tool wasn’t primed to accept any data, even if someone did fall for the prank, but a bad actor with the same tools could definitely “have collected some data.”
“If a user were to interact with the prompts, and if the other end was set up to respond convincingly, I think you could get the ‘victim’ to transfer a password,” Bochs warned.
Bochs, unfortunately, believes that "Apple won't do anything about this." The issue lies with the core programming at the heart of the low energy protocol, something that, in Bochs’ eyes, "is certainly by design, so that watches and headphones keep working with Bluetooth toggled.” Inherent flaws or not, Apple wants the feature to work — to fix it would be to break it.
The moral of the story is that if you want your iPhone to be totally safe from rogue Bluetooth incursions like the one explained here, then you need to turn off Bluetooth on your iPhone. Properly turn it off. Selecting the Bluetooth toggle in the Control Panel doesn’t completely turn off your Bluetooth, because it continues to work with proximity-activated beacons. To turn off Bluetooth completely, you need to head to your iPhone Settings, Bluetooth, and then select the green Bluetooth toggle at the top of the page.
