Airdrop Crazy

Disclaimer

These scripts are experimental PoCs that show what an attacker get from Apple devices if they sniff Bluetooth traffic.

This project is created only for educational purposes and cannot be used for law violation or personal gain.
The author of this project is not responsible for any possible harm caused by the materials of this project

This project is a hard fork of the project created by the Hexway team called Apple bleee

Requirements

I have adapted those scripts deleting all the function that was not available and refactoring the scripts in order to use a more Pythonic and modern way to organize the code. Please read carefully the OWL and Opendrop documentation in order to understand what's going on underneath these scripts. Also, you need for the airdrop part an Active Monitor Network Card as the Authors said, the Atheros AR9280 should work but you can use the TP-LINK Archer T2U/T1U if you want a usb card. We have tested the tool with Ubuntu 18.03 and Linux 5+ Kernel due to the TP-Link Archer requieremnets

Installation

# clone main repo
git clone https://github.com/ElevenPaths/Airdrop-Crazy && cd ./airdrop_crazy
sudo ./install.sh [NGROK_AUTH_TOKEN] [IFACE]

To change the wireless interface, bluetooth interface or channel just go to airdropcrazy/src/init.py

Raspberry

• Donwload this version of raspbian Buster: http://downloads.raspberrypi.org/raspbian/images/raspbian-2019-09-30/
• Download the firmware for the mediatech card TP-Link T2U: http://anduin.linuxfromscratch.org/sources/linux-firmware/mediatek/mt7610u.bin
• Copy the mt7610u.binfirmawre to the raspberry path /lib/firmware/mediatek
• Run sudo modprobe -r mt76x0 and then sudo modprobe mt76x0

How to use

Before using the tool, check that your Bluetooth adapter is connected

hcitool dev
Devices:
    hci0    XX:XX:XX:XX:XX:XX

Then make sure you have downloaded owl and you have a compatible network card that supports active framing.

There are two main ways to use the tool:

• Server mode: Follow the instructions to run the tool with the app and local server
• CLI Scripts: Run the scripts local with the cli

Server Mode

In this mode, you need the companion iOS app to display the information, these are all the requirements:

• Ngrok: To expose the local server to the app, just follow the instructions in the webpage.
• XCode: To compile the SwiftUI project.

First you need to select the wirless interface in airdrop_crazy/src/views.py, in the code line airdrop_leak = AirdropLeak(iface="") Then you need to

Now you just need to run the local server with bash bootstrap.sh or python3 app.py.

And then scan the qr generated with the app.

CLI: ble_read_script.py

This script sniffs BLE traffic and displays status messages from Apple devices. Moreover, the tool detects requests for password sharing from Apple devices. In these packets, we can get first 3 bytes of sha256(phone_number) and could try to guess the original phone number using prepared tables with phone hash values.

python3 ble_read_state.py -h
usage: ble_read_state.py [-h] [-t TTL] [-b BLE_IFACE] [-w W_IFACE] [-s] [-a]

Apple bleee. Apple device sniffer
---chipik

optional arguments:
  -h, --help            show this help message and exit
  -t TTL, --ttl TTL     Time To Live
  -b BLE_IFACE, --ble_iface BLE_IFACE
                        Bluetooth inteface
  -w W_IFACE, --w_iface W_IFACE
                        Wireless Interface
  -s, --ssid            Get SSID from request
  -a, --airdrop         Get info from AWDL airdrop
  -d, --debug           Debug mode

For monitoring you can just run the script without any parameters

sudo python3 ble_read_state.py

press Ctrl+q to exit

CLI: airdrop_leak.py

This script allows to get mobile phone number of any user who will try to send file via AirDrop

For this script, we'll need AWDL interface. Never use owl with the -N flag as it could lead into problems, always check if you have active monitor mode

Now, you can run the script

python3 airdrop_leak.py -h
usage: airdrop_leak.py [-h] [-n NAME] [-i IFACE] [-p PHONE] [-m MAIL]

    AirPods advertise spoofing PoC
    ---chipik
    

optional arguments:
  -h, --help            show this help message and exit
  -n NAME, --name NAME  Name of the interface
  -i IFACE, --iface IFACE
                        Wireless inteface
  -p PHONE, --phone PHONE
                        phone
  -m MAIL, --mail MAIL  mail

With no params, the script just displays phone hash and ipv6 address of the sender

sudo python3 airdrop_leak.py

CLI: adv_wifi.py

This script sends BLE messages with WiFi password sharing request. This PoC shows that an attacker can trigger a pop up message on the target device if he/she knows any phone/email that exists on the victim's device

python3 adv_wifi.py -h
usage: adv_wifi.py [-h] [-p PHONE] [-e EMAIL] [-a APPLEID] -s SSID
                   [-i INTERVAL]

WiFi password sharing spoofing PoC
---chipik

optional arguments:
  -h, --help            show this help message and exit
  -p PHONE, --phone PHONE
                        Phone number (example: 39217XXX514)
  -e EMAIL, --email EMAIL
                        Email address (example: [email protected])
  -a APPLEID, --appleid APPLEID
                        Email address (example: [email protected])
  -s SSID, --ssid SSID  WiFi SSID (example: test)
  -i INTERVAL, --interval INTERVAL
                        Advertising interval

For a WiFi password request, we'll need to specify any contact (email/phone) that exists in a victim's contacts and the SSID of a WiFi network the victim knows

sudo python3 adv_wifi.py -e [email protected] -s hexway

CLI: adv_airpods.py

This script mimics AirPods by sending BLE messages

python3 adv_airpods.py -h
usage: adv_airpods.py [-h] [-i INTERVAL] [-r] [-b BLE_IFACE]

    AirPods advertise spoofing PoC
    ---chipik
    

optional arguments:
  -h, --help            show this help message and exit
  -i INTERVAL, --interval INTERVAL
                        Advertising interval
  -r, --random          Send random charge values
  -b BLE_IFACE, --ble_iface BLE_IFACE
                        Bluetooth inteface

Let's send BLE messages with random charge values for headphones

sudo python3 adv_airpods.py -r

Api phone

This service allows to build a service to request the hashed phones, just update the generate_number/generate_hashes functions in views.py to adapt to your phone number requirements.

Troubleshooting

If you have problem finding your bluetooth dongle, might be an issue from bluez. Just run these commands:

sudo add-apt-repository ppa:bluetooth/bluez sudo apt update sudo apt install bluez And restart your machine

If your are working in a virtual machine in macOS Catalina you might wanna change the default hci behaviour introduced with this command:

sudo nvram bluetoothHostControllerSwitchBehavior="never"

Contacts

• Lucas Fernandez

• Pablo Gonzalez