SoylentNews

upstart [soylentnews.org] writes:

████ # This file was generated bot-o-matically! Edit at your own risk. ████

Attack of the week: Airdrop tracing [cryptographyengineering.com]:

It’s been a while since I wrote an “attack of the week” post, and the fault for is entirely mine. I’ve been much too busy writing boring posts about Schnorr signatures [cryptographyengineering.com]! But this week’s news brings an exciting story with both technical and political dimensions, namely: that a new Chinese technique is being used to trace AirDrop transmissions [techradar.com].

A quick note: most of my “attack of the week” posts are intended to highlight recent research. This post is therefore a bit unusual: the attack in question is not really new; it dates back to 2019, when a set of TU Darmstadt researchers — Heinrich, Hollick, Schneider, Stute, and Weinert — reverse-engineered the Apple Airdrop protocol and disclosed several privacy issues to Apple. (The resulting paper, which appeared in Usenix Security 2021 can be found here [usenix.org].)

What makes this an attack of the week is a new piece of news initially broken by Bloomberg [bloomberg.com] (other coverage [techradar.com]without paywall [macrumors.com]) claiming that researchers in China’s Beijing Wangshendongjian Judicial Appraisal Institute have used these vulnerabilities to help police to identify the sender of “unauthorized” AirDrop materials, using a technique based on rainbow tables. While this new capability may not (yet) be in widespread deployment, it represents a new tool that could strongly suppress the use of AirDrop in China and Hong Kong.

And this is a big deal, since AirDrop is apparently one of a few channels that can still be used to disseminate unauthorized protest materials — and indeed, that was used in both places in 2019 and 2022, and (allegedly as a result) has already been subject to various curtailments [mashable.com].

In this post I’m going to talk about the Darmstadt research and how it relates to the news out of Beijing. Finally, I’ll talk a little about what Apple can do about it — something that is likely to be as much of a political problem as a technical one.

As always, rest will be in the “fun” question-and-answer format I use for these posts.

What is AirDrop and why should I care?

If you own an iPhone, you already know the answer to this question. Otherwise: AirDrop is an Apple-specific protocol that [apple.com] allows Apple devices to send files (and contacts and other stuff) in a peer-to-peer manner over various wireless protocols, including Bluetooth and WiFi.

The key thing to know about AirDrop is that it has two settings, which can be enabled by a potential receiver. In “Contacts Only” mode, AirDrop will accept files only from people who are in your Contacts list (address book.) When set to “Everyone”, AirDrop will receive files from any random person within transmit range. This latter mode has been extensively used to distribute protest materials in China and Hong Kong, as well as to distribute indecent photos [mashable.com] to strangers all over the world.

The former usage of AirDrop became such a big deal in protests that in 2022, Apple pushed a software update [cnbc.com] exclusively to Chinese users that limited the “Everyone” receive-from mode — ensuring that phones would automatically switch back to “Contacts only” after 10 minutes. The company later extended this software update to all users worldwide [appleinsider.com], but only after they were extensively criticized for the original move.

Is AirDrop supposed to be private? And how does AirDrop know if a user is in their Contacts list?

While AirDrop is not explicitly advertised as an “anonymous” communication protocol, any system that has your phone talking to strangers has implicit privacy concerns baked into it. This drives many choices around how AirDrop works.

Let’s start with the most important one: do AirDrop senders provide their ID to potential recipients? The answer, at some level, must be “yes.”

The reason for this is straightforward. In order for AirDrop recipients in “Contacts only” mode to check that a sender is in their Contacts list, there must be a way for them to check the sender’s ID. This implies that the sender must somehow reveal their identity to the recipient. And since AirDrop presents a list of possible recipients any time a sending user pops up the AirDrop window, this will happen at “discovery” time — typically before you’ve even decided if you really want to send a file.

But this poses a conundrum: the sender’s phone doesn’t actually know which nearby AirDrop users are willing to receive files from it — i.e., which AirDrop users have the sender in their Contacts — and it won’t know this until it actually talks to them. But talking to them means your phone is potentially shouting at everyone around it all the time, saying something like:

Hi there! My Apple ID is john.doe.28@icloud.com. Will you accept files from me!??

Now forget that this is being done by phones. Instead imagine yourself, as a human being, doing this to every random stranger you encounter on the subway. It should be obvious that this will quickly become a privacy concern, one that would scare even a company that doesn’t care about privacy. But Apple generally does care quite a bit about privacy!

Thus, just solving this basic problem requires a clever way by which phones can figure out whether they should talk to each other — i.e., whether the receiver has the sender in its Contacts — without either side leaking any useful information to random strangers. Fortunately cryptographic researchers have thought a lot about this problem! We’ve even given it a cool name: it’s called Private Set Intersection [wikipedia.org], or PSI.

To make a long story short: a Private Set Intersection protocol takes a set of strings from the Sender and a set from the Receiver. It gives one (or both parties) the intersection of both sets: that is, the set of entries that appear on both lists. Most critically, a good PSI protocol doesn’t reveal any other information about either of the sets.

In Apple’s case, the Sender would have just a few entries, since you can have a few different email addresses and phone numbers. The Receiver would have a big set containing its entire Contacts list. The output of the protocol would contain either (1) one or more of the Sender’s addresses, or (2) nothing. A PSI protocol would therefore solve Apple’s problem nicely.

Great, so which PSI protocol does Apple use?

The best possible answer to this is: 😔.

For a variety of mildly defensible reasons — which I will come back to in a moment — Apple does not use a secure PSI protocol to solve their AirDrop problem. Instead they did the thing that every software developer does when faced with the choice of doing complicated cryptography or “hacking something together in time for the next ship date”: they threw together their own solution using hash functions.

The TU Darmstadt researchers did a nice job of reverse-engineering Apple’s protocol in their paper. [usenix.org] Read it! The important bit happens during the “Discovery” portion of the protocol, which is marked by an HTTPS POST request as shown below:

The very short TL;DR is this:

1. In the POST request, a sender attaches a truncated SHA-256 hash [wikipedia.org] of its own Apple ID, which is contained within a signed certificate that it gets from Apple. (If the sender has more than one identifier, e.g., a phone number and an email address, this will contain hashes of each one.)
2. The recipient then hashes every entry in its Contacts list, and compares the results to see if it finds a match.
3. If the recipient is in Contacts Only mode and finds a match, it indicates this and accepts later file transfers. Otherwise it aborts the connection.

(As a secondary issue, AirDrop also includes a very short [two byte] portion of the same hashes in its BLE advertisements. Two bytes is fairly short, which means this shouldn’t leak much information, since many different addresses will collide on a two-byte hash. However, some other researchers have determined that it generally does [habr.com]. Or they may have, the source isn’t translating well for me.)

A second important issue here is that the hash identifiers are apparently stored in logs within the recipient’s phone, which means that to obtain them you don’t have to be physically present when the transfer happens. You can potentially scoop them out of someone else’s phone after the fact.

So what’s the problem?

Many folks who have some experience with cryptography will see the problem immediately. But let’s be explicit.

Hash functions are designed to be one-way. In theory, this means that there is should be no efficient algorithm for “directly” taking the output of a hash function and turning it back into its input. But that guarantee has a huge asterisk: if I can guess a set of possible inputs that could have produced the hash, I can simply hash each one of my guesses and compare it to the target. If one input matches, then chances are overwhelming that I’ve found the right input (also called a pre-image.)

In its most basic form, this naive approach is called a “dictionary attack [wikipedia.org]” based on the idea that one can assemble a dictionary of likely candidates, then test every one. Since these hashes apparently don’t contain any session-dependent information (such as salt), you can even do the hashing in advance to assemble a dictionary of candidate hashes, making the attack even faster.

This approach won’t work if your Apple ID (or phone number) is not guessable. The big question in exploiting this vulnerability is whether it’s possible to assemble a complete list of candidate Apple ID emails and phone numbers. The answer for phone numbers, as the Darmstadt researchers point out, is absolutely yes. Since there are only a few billion phone numbers, it is entirely possible to make a list of every phone number and have a computer grind through them — given a not-unreasonable amount of time. For email addresses this is more complicated, but there are many lists of email addresses [haveibeenpwned.com] in the world, and the Chinese state authorities almost certainly have some good approaches to collecting and/or generating those lists.

As an aside, exploiting these dictionaries can be done in three different ways:

1. You can make a list of candidate identifiers (or generate them programmatically) and then, given a new target hash, you can hash each identifier and check for a match. This requires you to compute a whole lot of SHA256 hashes for each target you crack, which is pretty fast on a GPU or FPGA (or ASIC) but not optimal.
2. You can pre-hash the list and make a database of hashes and identifiers. Then when you see a target hash, you just need to do a fast lookup. This means all computation is done once, and lookups are fast. But it requires a ton of storage.
3. Alternatively, you can use an intermediate approach called a time-memory tradeoff in which you exchange some storage for some computation once the target is found. The most popular technique is called a rainbow table [wikipedia.org], and it really deserves its own separate blog post, though I will not elaborate today.

The Chinese announcement explicitly mentions a rainbow table, so that’s a good indicator that they’re exploiting this vulnerability.

Well that sucks. What can we, or rather Apple, do about it?

If you’re worried about leaking your identifier, an immediate solution is to turn off AirDrop, assuming such a thing is possible. (I haven’t tried it, so I don’t know if turning this off will really stop your phone from talking to other people!) Alternatively you can unregister your Apple ID, or use a bizarre high-entropy Apple ID that nobody will possibly guess. Apple could also reduce their use of logging.

But those solutions are all terrible.

The proper technical solution is for Apple to replace their hashing-based protocol with a proper PSI protocol, which will — as previously discussed — reveal only one bit of information: whether the receiver has the sender’s address(es) in their Contacts list. Indeed, that’s the solution that the Darmstadt researchers propose. They even devised a Diffie-Hellman-based PSI protocol called “PrivateDrop” and [usenix.org] showed that it can be used to solve this problem.

But this is not necessarily an easy solution, for reasons that are both technical and political. It’s worth noting that Apple almost certainly knew from the get-go that their protocol was vulnerable to these attacks — but even if they didn’t, they were told about these issues back in May 2019 by the Darmstadt folks. It’s now 2024, and Chinese authorities are exploiting it. So clearly it was not an easy fix.

Some of this stems from the fact that PSI protocols are more computationally heavy that the hashing-based protocol, and some of it (may) stem from the need for more interaction between each pair of devices. Although these costs are not particularly unbearable, it’s important to remember that phone battery life and BLE/WiFi bandwidth is precious to Apple, so even minor costs are hard to bear. Finally, Apple may not view this as really being an issue.

However in this case there is an even tougher political dimension.

Will Apple even fix this, given that Chinese authorities are now exploiting it?

And here we find the hundred billion dollar question: if Apple actually replaced their existing protocol with PrivateDrop, would that be viewed negatively by the Chinese government?

Those of us on the outside can only speculate about this. However, the facts are pretty worrying: Apple has enormous manufacturing and sales resources located inside of China, which makes them extremely vulnerable to an irritated Chinese government. They have, in the past, taken actions that appeared to be targeted at restricting AirDrop use within China — and although there’s no definitive proof of their motivations, it certainly looked bad.

Finally, Apple has recently been the subject of pressure by the Indian government [washingtonpost.com] over its decision to alert journalists [techcrunch.com] about a set of allegedly state-sponsored attacks. Apple’s response to this pressure was to substantially tone down its warnings. And Apple has many fewer resources at stake in India than in China, although that’s slowly changing [wsj.com].

Hence there is a legitimate question about whether it’s politically wise for Apple to make a big technical improvement to their AirDrop privacy, right at the moment that the lack of privacy is being viewed as an asset by authorities in China. Even if this attack isn’t really that critical to law enforcement within China, the decision to “fix” it could very well be seen as a slap in the face.

One hopes that despite all these concerns, we’ll soon see a substantial push to improve the privacy of AirDrop. But I’m not going to hold my breath.

trusting-corps-to-protect-you dept.

China forensic firm cracks Apple’s AirDrop to help Beijing police track senders [scmp.com]:

AdvertisementAdvertisementChina’s Communist Party [scmp.com]+ FOLLOWGet more with myNEWSA personalised news feed of stories that matter to youLearn more [scmp.com]Beijing’s Municipal Bureau of Justice has said that a private company cracked an Airdrop file shared to a subway passenger’s phone. Photo: ShutterstockChina [scmp.com]Politics [scmp.com]China forensic firm cracks Apple’s AirDrop to help Beijing police track senders

• Suspects accused of sending ‘inappropriate speech’ to subway passenger via the anonymous filesharing service ‘identified’
• Authorities turned to the private company because the iPhone feature is hard to regulate through conventional surveillance

China’s Communist Party [scmp.com]+ FOLLOWYuanyue Dang [scmp.com]in Beijing+ FOLLOWPublished: 1:59pm, 9 Jan, 2024Why you can trust SCMP [scmp.com]A Beijing-based forensics firm has helped police to track down people using Apple’s AirDrop [scmp.com] feature to send “ inappropriate speech [scmp.com]”, according to the Chinese capital’s Bureau of Justice.

In an article published on its official WeChat account on Monday, the bureau said forensic firm Beijing Wangshendongjian Technology Co Ltd had “broken through the technical difficulties of tracing anonymous AirDrops”.

The firm “prevented the further spread and potential bad influence of inappropriate speech” on the Beijing subway, when a passenger’s iPhone received an unacceptable video via AirDrop, the bureau said.

The file-sharing service allows Apple device users to share files with nearby users via Wi-fi or Bluetooth without revealing their identity. It was used during protests against strict Covid-19 restrictions in 2022, as well as in Hong Kong’s 2019 unrest.

“Due to the anonymity of AirDrop and the difficulty of tracking it, some netizens have already started to follow this behaviour, so the source of the transmission must be identified as soon as possible to avoid bad influence,” the article said.

Apple’s AirDrop in focus as China moves to restrict ‘short-range’ file-sharing [scmp.com]

Because the feature could be used without an internet connection, it was difficult for police to regulate “through conventional internet surveillance means”, it said.

The bureau did not specify when the incident occurred, but said Wangshendongjian analysed the iPhone’s logs and found the sender’s mobile number and email address in the form of hash values, some of them hidden.

Wangshendongjian then used a “rainbow table” of cracked passwords to decode enough information from the files to help police “identify several suspects”, according to the article.

The company, a subsidiary of cybersecurity firm Qi An Xin Technology Group Inc (QAX), had handled 850 investigations since its founding in 2020, mostly for “public security clients and criminal cases”, the article said.

The parent company did not immediately respond to a request for comment from the South China Morning Post.

QAX’s website, as well as mainland media reports, indicate that the company provides services to police in several provinces. Wangshendongjian belongs to a division that focuses on research into forensic techniques for electronic devices.

China’s internet watchdog to boost tip-offs to stamp out ‘illegal’ content [scmp.com]

The parent company had a total revenue of 6.2 billion yuan (US$868 million) in 2022 and “ranks first in the industry in terms of staff size, revenue scale and product coverage”, according to its website.

Apple updated its operating system in November 2022, imposing a 10-minute limit on the sharing of AirDrop content on all iPhones sold in mainland China, weeks after the service was used to share pictures from a protest in Beijing.

The company did not explain the reason for the update, which appeared to be aimed at preventing Chinese iPhone users from bypassing the country’s strict internet censorship rules.

In July 2023, the Cyberspace Administration of China – the top internet watchdog – introduced a draft regulation aimed at further restricting the use of AirDrop to “safeguard national security”.

11

Apple limited a crucial AirDrop function in China just weeks before protests [cnbc.com]:

Protests in China have attracted international attention as the greatest challenge of President Xi Jinping's premiership and a major knock to the Chinese Communist Party's (CCP) longstanding authority.

But their spread within China was partially hobbled by a key change in Apple [cnbc.com]'s AirDrop feature, launched just weeks before the unrest.

AirDrop, which allows users to share content between Apple devices, has become an important tool in protestors' efforts to circumvent authoritarian censorship regimes over recent years.

That is because it relies on wireless connections between phones, rather than internet connectivity, placing it beyond the scope of internet content moderators. It uses Bluetooth to form a peer-to-peer Wi-Fi network between two devices.

The tool was used widely during Hong Kong's 2019 pro-democracy protests, when demonstrators would share messages and protest literature [qz.com] with passers by and visitors from mainland China through AirDrop's open network.

More recently, in mid-October, AirDrop was reportedly used to disseminate messages based on banners produced by a Beijing demonstrator [nytimes.com] known as "Bridge man."

Original Submission