Not a developer or knowledgeable with code but I think I found a security vulnerability

[AppleFan93]

i wanted to see if a developer or someone more knowledgeable than me could verify if this is possible. It would be considered a Trojan Horse attack.

Basically when I pair my car's Bluetooth to my iPhone it starts downloading contacts automatically. I don't have to approve of this aside from pairing my phone.

Is it possible that someone could create a device (we will use a Bluetooth speaker for this example), that a victim connects to via Bluetooth, but the Bluetooth connection also mines the data on their phone sending it to the attacker's device/server via wifi or other connection to be collected.

 

[timeconsumer]

i wanted to see if a developer or someone more knowledgeable than me could verify if this is possible. It would be considered a Trojan Horse attack.

Basically when I pair my car's Bluetooth to my iPhone it starts downloading contacts automatically. I don't have to approve of this aside from pairing my phone.

Is it possible that someone could create a device (we will use a Bluetooth speaker for this example), that a victim connects to via Bluetooth, but the Bluetooth connection also mines the data on their phone sending it to the attacker's device/server via wifi or other connection to be collected.

When pairing to your car via Bluetooth there are Bluetooth profiles that it can access for various functionality.

What you're referring to is phone book access profile (PBAP) as described here: https://support.apple.com/en-us/HT204387

Also according to that article there should be an encrypted connection between the two paired devices which should prevent any packet sniffing.

The reason your car is able to connect automatically is because you paired it before and likely had to type in a pairing code on initial setup.

"Pairing may require user authorization depending on Apple product. Once an accessory is paired with an Apple product, it shall retain the distributed keys of both central and peripheral for future use. If the pairing is no longer required, the accessory shall delete both sets of keys."

From: https://developer.apple.com/hardwaredrivers/BluetoothDesignGuidelines.pdf#page23

While it is possible that somebody could attempt to connect to your iPhone via Bluetooth, you would have to approve it on your iPhone. So if you didn't approve it they wouldn't be able to connect. That said, if you have any concerns of Bluetooth security, disable Bluetooth when you do not need it.

Hope this helps.

 

[Skorpio]

My Mazda downloads the data (contacts/address book)from the phone, but it needs approval from me the first time the Bluetooth tries to connect and requires a paired PIN given by the stereo, but at no time afterwards. Have you tried another vehicle to make sure it isn't related to just your vehicle? Since my vehicle is confirmed to need permission, perhaps to issue is only related to certain car manufacturers ?

 

[AppleFan93]

When pairing to your car via Bluetooth there are Bluetooth profiles that it can access for various functionality.

What you're referring to is phone book access profile (PBAP) as described here: https://support.apple.com/en-us/HT204387

Also according to that article there should be an encrypted connection between the two paired devices which should prevent any packet sniffing.

The reason your car is able to connect automatically is because you paired it before and likely had to type in a pairing code on initial setup.

"Pairing may require user authorization depending on Apple product. Once an accessory is paired with an Apple product, it shall retain the distributed keys of both central and peripheral for future use. If the pairing is no longer required, the accessory shall delete both sets of keys."

From: https://developer.apple.com/hardwaredrivers/BluetoothDesignGuidelines.pdf#page23

While it is possible that somebody could attempt to connect to your iPhone via Bluetooth, you would have to approve it on your iPhone. So if you didn't approve it they wouldn't be able to connect. That said, if you have any concerns of Bluetooth security, disable Bluetooth when you do not need it.

Hope this helps.

This is not what I am referring to. I am referring to a Trojan Horse attack. For example, an attacker sets up a Bluetooth speaker at a picnic area at a popular park with a sign saying it is a complimentary bluetooth speaker for the park goers to use during their picnic. It looks official so the victim pairs their phone with the Bluetooth speaker so they can play music for all their friends from their iPhone. Unknown to the victim the bluetooth speaker is not only playing their music, but it is also downloading their contacts. This information is stored on an on board hard drive. After a few days the attacker comes by, collects the bluetooth speaker and harvests the data off of it.

At no point does it ask for permission to access the contacts, it is just downloaded.

 

[JemiS]

Yes, if you pair your phone with any bluetooth device, you're giving permission to that device to get information from your phone.

Don't connect to devices you don't trust.

It's just like the "don't plug your phone into computers you don't trust" rule.

Anytime you authorize a connection to another device, you're opening some risk that that device (if malicious) could do something to your phone- that's why there's an authorization step.

 

[AppleFan93]

Yes, if you pair your phone with any bluetooth device, you're giving permission to that device to get information from your phone.

Don't connect to devices you don't trust.

It's just like the "don't plug your phone into computers you don't trust" rule.

Anytime you authorize a connection to another device, you're opening some risk that that device (if malicious) could do something to your phone- that's why there's an authorization step.

Yes, but many people don't know that. The vulnerability here is that an unsuspecting victim does not have a way of knowing the device is accessing personal information and can't do anything about it. The fix would be to make it so the iPhone has to grant permission for the things the bluetooth device wants to access, similar to how apps have to have permission.

 

[JemiS]

Not sure what to say here.

You're explicitly giving the bluetooth device you're pairing to permission to access certain parts of your phone (discussed in the linked article above) when you pair it using the PIN code.

 

[AppleFan93]

Not sure what to say here.

You're explicitly giving the bluetooth device you're pairing to permission to access certain parts of your phone (discussed in the linked article above) when you pair it using the PIN code.

And what I am saying is that the average user would not understand that pairing their phone through bluetooth gives permission to access contacts and other data on the device. Apple should have a prompt come up asking if you are sure you want to grant access to the data the bluetooth device is wanting to access to.

 

[JemiS]

The "average user" does lots of things that open themselves up to security risks, and there's only so much an OS can do to prevent users from giving permission to things they shouldn't.

You presented this as a "possible trojan horse security vulnerability", which it really isn't.

 

[GalFieri]

And what I am saying is that the average user would not understand that pairing their phone through bluetooth gives permission to access contacts and other data on the device. Apple should have a prompt come up asking if you are sure you want to grant access to the data the bluetooth device is wanting to access to.

Do you want Apple to warn people about connecting to every single WiFi network as well? Because you seem to want Apple to protect its users from every possible thing.

 

[AppleFan93]

Ok, let's get back on topic. Is what I am talking about feasible? Can someone download personal information from an iPhone without the user knowing by disguising a data collector as a bluetooth speaker?

 

[lordofthereef]

What you're saying is feasible, though it's basically limited to the address book. It would also take a very gullible person to be foolish enough to pair their devices with random hardware, but it's possible. People also willing give their credit card information and social security number to telephone phishers every day. I'd call this less a "security vulnerability" and more just the fault of the end user.

As was mentioned, public WiFi is a greater security risk. I never do anything requiring passwords or logging in on public WiFi for those reasons.

 

[johnnypro]

What you're saying is feasible, though it's basically limited to the address book. It would also take a very gullible person to be foolish enough to pair their devices with random hardware, but it's possible. People also willing give their credit card information and social security number to telephone phishers every day. I'd call this less a "security vulnerability" and more just the fault of the end user.

As was mentioned, public WiFi is a greater security risk. I never do anything requiring passwords or logging in on public WiFi for those reasons.

So, just a question here. Doesn't the Bluetooth Speaker itself have some kind of way to handle the contacts? For example, a car has a built-in OS for showing the adress book and recent calls. Does all Bluetooth speakers really have that?

 

[bufffilm]

This is no more a security vulnerability than giving a stranger your iPad and saying "Have at it".

 

[C DM]

Well, the way it sounds, realistically speaking, just like iOS has prompts for apps to access contacts or other OS-related items, it's not a stretch to say that a bluetooth device should similarly go through that sort of a process to access something like contacts.

 

[AppleFan93]

Well, the way it sounds, realistically speaking, just like iOS has prompts for apps to access contacts or other OS-related items, it's not a stretch to say that a bluetooth device should similarly go through that sort of a process to access something like contacts.

That's exactly what I am getting at. I am not sure if I'm not communicating message well or what because I don't think everyone else was understanding what I was saying.

 

[JemiS]

That means, however, that every time your phone connects/disconnects from your car bluetooth while you're driving, that you'll have to pick up the phone and accept a dialogue to be able to dial through your car.

For what's supposed to be a "hands free" system, that's adding an awful lot of "hands on" activity.

The whole point of bluetooth is that it's the wireless equivalent of a direct connection. When you plug your iPhone into a speaker system via a lightning cable, it has access to control the music app of your iPhone, and downloads the information from your music library.

When you pair to a device, you're pairing to it for specific reasons, and giving it access to your phone so you can use said device to do something (using your phone).

We all understand what you're saying, but what you're suggesting is a huge over-protection for something that isn't really a problem, anymore than any other "PEBAK" issue. If a bluetooth device could connect to your phone without your knowledge, that would be a problem, but since there's a defined pairing algorithm that you have to physically accept, it becomes a user error. Requiring a secondary authentication for every subsequent thing you want to do using that pairing is the very definition of over engineering.

 

[C DM]

That means, however, that every time your phone connects/disconnects from your car bluetooth while you're driving, that you'll have to pick up the phone and accept a dialogue to be able to dial through your car.

For what's supposed to be a "hands free" system, that's adding an awful lot of "hands on" activity.

The whole point of bluetooth is that it's the wireless equivalent of a direct connection. When you plug your iPhone into a speaker system via a lightning cable, it has access to control the music app of your iPhone, and downloads the information from your music library.

When you pair to a device, you're pairing to it for specific reasons, and giving it access to your phone so you can use said device to do something (using your phone).

We all understand what you're saying, but what you're suggesting is a huge over-protection for something that isn't really a problem, anymore than any other "PEBAK" issue. If a bluetooth device could connect to your phone without your knowledge, that would be a problem, but since there's a defined pairing algorithm that you have to physically accept, it becomes a user error. Requiring a secondary authentication for every subsequent thing you want to do using that pairing is the very definition of over engineering.

Using the same type of logic as there is when it comes to apps in relation to this, it would only need to be done once the first time essentially.

 

[Applejuiced]

Yeah, good try but you did not find a security vulnerability.

 

[Rigby]

Well, the way it sounds, realistically speaking, just like iOS has prompts for apps to access contacts or other OS-related items, it's not a stretch to say that a bluetooth device should similarly go through that sort of a process to access something like contacts.

I think this would be very useful, not so much because of the risk of being attacked by a "rogue Bluetooth speaker", but because I sometimes like to pair my phone to rental cars when traveling. I'd like to be able to use the car speakers for phone calls and listening to my music, but prevent the car from downloading my contacts. There is usually a way to delete the data before you return the car, but it's not always easy to figure out how.

 

[iThingsGurl]

My car's bluetooth merely displays my iPhone contacts. Which means, it does not save my contacts and has nothing to show once I disconnect my device - just like my music, which is not saved either. As soon as I reconnect, my contacts reappear - along with any new entries I might have added in the interim. So I guess the contacts are stored in the cache memory, which gets cleared once I disconnect.

Having said that, the OP's method might work. If the Bluetooth standard allows to manipulate data from a connected device, someone with nefarious intentions might find out a way to extract it, provided that his mark connects to the rogue Bluetooth device. Of course, this can be done by an app too. (TrueCaller does it, albeit with your permission).

 

[timeconsumer]

That's exactly what I am getting at. I am not sure if I'm not communicating message well or what because I don't think everyone else was understanding what I was saying.

Correct, I didn't get your original intention, I thought you meant if somebody could use a Bluetooth device to connect to your iPhone and then pull information without your permission.

Now, I get your point but do we really need another warning on our phones? If you connect to something you don't own then of course you run the risk of giving away information.

 

[C DM]

Correct, I didn't get your original intention, I thought you meant if somebody could use a Bluetooth device to connect to your iPhone and then pull information without your permission.

Now, I get your point but do we really need another warning on our phones? If you connect to something you don't own then of course you run the risk of giving away information.

Well, to be fair, similar reasoning was used about apps as well--if you install an app and run it then you should be OK with it acceding things on your phone, right? Clearly while that was the approach for some time things changed to where permission had to be obtained when accessing various OS-level things like contacts, photos, calendars, camera, microphone, etc. This doesn't exactly seem that much different or would be any more obtrusive that what we already have in place for apps for a number of years.

 

[timeconsumer]

Well, to be fair, similar reasoning was used about apps as well--if you install an app and run it then you should be OK with it acceding things on your phone, right? Clearly while that was the approach for some time things changed to where permission had to be obtained when accessing various OS-level things like contacts, photos, calendars, camera, microphone, etc. This doesn't exactly seem that much different or would be any more obtrusive that what we already have in place for apps for a number of years.

The difference is we know what Bluetooth could potentially access as its a standard and Apple defines it on their website. We do not know what an app uses without having access to the code or without the app prompting.

It does seem like there might be an underlying vulnerability in Bluetooth if you can't deny access to certain Bluetooth profiles. For example why would a speaker need access to my contact information? It does seem to be limited what is accessed over Bluetooth as per the support article I linked earlier but it would be nice to control what has access to what Bluetooth profile.

 

[ApfelKuchen]

The concerns voiced here apply to Bluetooth in general, not to iPhone alone. Bluetooth has been around for a long time, and due to its widespread use, has also received substantial attention attention from security experts. For example, here's the Security section from Wikipedia's main Bluetooth article: 8 Security

Different kinds of Bluetooth devices use different, standard Bluetooth protocols. The protocol for speakers (A2DP - advanced audio distribution profile) does not include the ability to transfer contact data. The transfer of contact data requires PBAP - phone book access profile. PBAP triggers specific security protocols within iPhone (a higher level of security than if A2DP alone was in use).

Here's what Apple's iOS Security Guide https://www.apple.com/business/docs/iOS_Security_Guide.pdf has to say:

Bluetooth support in iOS has been designed to provide useful functionality without unnecessary increased access to private data. iOS devices support Encryption Mode 3, Security Mode 4, and Service Level 1 connections. iOS supports the following Bluetooth profiles:

• Hands-Free Pro le (HFP 1.5)

• Phone Book Access Pro le (PBAP)

• Advanced Audio Distribution Pro le (A2DP)

• Audio/Video Remote Control Pro le (AVRCP)

• Personal Area Network Pro le (PAN)

• Human Interface Device Pro le (HID)

Support for these pro les varies by device. For more information, see

https://support.apple.com/kb/ht3647.

PBAP requires encrypted data, and the mobile device provides the encryption key necessary to decrypt contact data stored in the car system. When the mobile device is not present, the data cannot be decrypted. This safeguards data that may be "left behind" in a rental car.

That's not to say some clever people couldn't create a "wolf in sheep's clothing" (appears to be a Bluetooth speaker but is more than that). However, even if a trojan horse was built, the people of Troy would be asked (in effect), "Do you want to roll a wooden horse full of Greek soldiers into the city?" At that point, it ceases to be a trojan horse, and becomes simple foolishness on the Trojan's part.