1. A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through AppleWireless Direct Link (AWDL)
Milan Stute1, Sashank Narain2, Alex Mariotto, Alexander Heinrich, and David Kreitschmann, Guevara Noubir, Matthias Hollick

2. AWDL: Apple's Wireless Direct Link
“The limitations of IBSS mode (and its Wi-Fi infrastructure predecessors) led the Wi-Fi Alliance to define Wi-Fi Direct. Further, due to concerns regarding Wi-Fi Direct, Apple Wireless Direct Link (AWDL) was developed by Apple and eventually adopted by the Wi-Fi Alliance as the basis for Neighbor Awareness Networking (NAN).”
A Low latency/high speed WiFi peer-to peer-connection
An Instance of “Wifi Direct” Standard
Like IEEE Standard, it uses channels to separate signals
Physical Layer and Data Link Layer in the OSI Model
AWDL

3. AWDL: Channels
Channel information is in the form of Available Windows (AW).
AW: Sequence of 16 channel numbers
Each channel takes 64 Time Unit.
Each Time Unit (TU) takes 1024 μs
Each Period (τ) takes 1024*64*16 ≈ 1 s

4. AWDL: Sychronization WORKFLOW: Action Frame (AF): Master
Elect a Master
Sychronize to Master's clock by sending Action Frame (AF)
Communicate only in the same channel
Sychronize
Sychronize
Node1
Node2
Communicate
Action Frame (AF):
Data frame sent when ADWL starts.
It contains:
1. Sychronization Parameters: AW, time until next AW starts
2. Sensitive Informations: MAC address, AP, hostname, device class, AWDL protocol version.

5. One AWDL Application: Airdrop
In a nutshell, AirDrop is an ad-hoc service enabling the transfer of files over Wi-Fi and Bluetooth.
Airdrop uses BLE advertisement to discover, AWDL to communicate.
Airdrop's Workflow is divided in three parts: Discovery, Authentication and Data Transfer

6. Airdrop: Permission Mode

7. Airdrop: How to Discover?
16 bit
Sender's Contact identifiers, like address or #Tel 2 1
Bluetooth 3
AWDL 4
Communicate via the same channel 5
Locate Airdrop Service IP

8. Airdrop: How to Authenticate?1 2 3
TLS connection and HTTPS are secure enough!

9. Airdrop: How to Transfer?1 3 2

10. Attacks: Overview 1. Privacy Leaks:
Goal: Associate Username and MAC address
How: Sensitive information in AF
Bluetooth + AWDL
2. Denial of Service by Desynchronization:
Goal: Prevent Synchronization process
How: Send different synchronization parameters to either targets
AWDL
3. Man in the Middle Attack:
Goal: Modify files transferred by Airdrop
How: Prevent sender from authenticating to receiver. Attacker pretend to be sender and relay sender’s ask request and modify sender’s upload request.
Airdrop
4. Denial of Service by Rebooting:
Goal: Reboot target devices
How: Send corrupted AF
AWDL

11. Attacks: Privacy Leak Goal: To Match Username and MAC address WORKFLOW
1. Devices send AF upon BLE advertisement
· Everyone mode: Upon any BLE advertisement
· Contacts-only: When contact identifiers match
2. Brute forcing a 16-bit search space if contacts-only
· Customizing BLE advertisement sender for efficiency
3. Capture sensitive information in AWDL specific fields, because they are sent in the clear
AWDL protocol:
MAC randomization Hostname, MAC address, AP, Version Info
IEEE header
AWDL specific fields
Data

12. Attacks: Privacy Leak
PERFORMANCE

13. Attacks: DoS by Desynchronization
Goal: To Prevent Synchronization
WORKFLOW
1. Attacker Wins Master Election
where c increases over time when a node is elected as master,
m is a random number
2. Sending different Synchronization Parameters via AF
PERFORMANCE

14. Attacks: Man in the Middle
Goal: Modify Airdrop Data Transferred
WORKFLOW 1 2 3 4
Relay
Modify

15. Attacks: Man in the Middle
Demo

16. Attacks: DoS by Rebooting
Goal: To Reboot Target Devices
WORKFLOW
1. Send Corrupted AF
Demo

17. Q & A
Q: How is the attacker even able to communicate using Apple’s proprietary AWDL protocol?
A: Open Wireless Link project
Self Implementation of Airdrop and AWDL

18. Future Work? Further reading: AWDL is used in Apple’s Homepod
Possible attacks?