At Def Con 2023, some attendees were shown in real-time how a relatively cheap device leveraging Bluetooth flaws can force bogus notifications and potentially get the user to surrender sensitive data.
This cheap device can spoof an Apple TV
Walking around a conference dedicated to hacking devices and software typically means seeing all sorts of real world attacks, albeit in a specialized setting. And as some attendees discovered this year, it can also mean personal data is potentially up for grabs at any given moment.
Take, for example, a research project put together by Jae Bochs shows just how easy it is to take advantage of Apple's own utilization of Bluetooth Low Energy, or BLE, to try and nab a user's information. Bochs's project had a couple of purposes, the first being to remind folks that simply using Control Center to disable Bluetooth doesn't actually get the job done.
The second was to simply have a laugh as Bochs walked around the conference, stood in lines, and visited vendors. They did try to remember to turn their device off if they stopped to have a chat with someone, though, according to TechCrunch.
The device is a combination of several elements, like a Raspberry Pi Zero 2 W, a Linux-compatible Bluetooth adapter, a couple of antennas, and an external battery. All told, Bochs says it costs around $70, which means a relatively inexpensive device can quickly cause some specific havoc on Apple devices within 50 feet.
It comes down to communication between devices, which at this point Apple relies heavily on for its ecosystem. By tapping BLE, devices like iPhones can talk to one another when they get within a set range, which can then prompt "proximity actions."
The device causes these actions, so as Bochs walked around the conference he was able to send a prompt to nearby iPhones asking them to auto-fill their password into a nearby Apple TV. Despite the fact there wasn't an Apple TV near them.
Luckily, Bochs's device wasn't built to attain any personal information, even if someone did tap on the prompt and insert their password for some reason. However, he does say there is a possibility where that could happen.
"If a user were to interact with the prompts, and if the other end was set up to respond convincingly, I think you could get the victim' to transfer a password. There's an issue known for a few years where you can retrieve phone number, Apple ID email, and current Wi-Fi network from the packets."
Apple is aware of the issue, and has been since 2019. However, Bochs does not expect the company to do anything about it because so little information can be shared through this process, and it's an integral feature to the Apple ecosystem as a whole.
Bochs does suggest Apple could offer a better prompt for users, letting them know what's happening when they tap the Bluetooth icon in Control Center.
How to protect yourself from this kind of attack
This is all about situational awareness. Bluetooth isn't known for being particularly great for security purposes, but in this particular situation it comes down to knowing your environment.
As Bochs notes, this particular moment is for the laughs, because it's an Apple TV prompting for a password at a hacker convention. It's obviously not any one person's personal Apple TV, so if you see this or similar while out, obviously don't input your password.
However, out in the real world a similar prompt could pop up, which means the individual needs to be aware what personal devices are being carried, like an AirTag or pair of AirPods Pro. If a random device starts prompting you for a password, the safe bet is to ignore it entirely, especially if you don't recognize it.
As a reminder, the only way to fully disable Bluetooth or Wi-Fi is to do so in the Settings app.