Apple Wireless Direct Link (AWDL), a protocol installed on over 1.2 billion Apple devices, contains vulnerabilities that allow attackers to track users, crash devices, or capture files transferred between devices via man -in-the-middle (MitM) attacks.
These are the findings of a research project that began last year at the Technical University of Darmstadt, Germany, and which recently concluded, and whose findings researchers will present later this month at a US security conference.
The project sought to analyze Apple Wireless Direct Link (AWDL), a protocol that Apple rolled out in 201
German and American scientists reverse engineered AWDL
But for the past five years, Apple has never published any detailed technical details on how AWDL works. This, in turn, has led to very few security researchers looking at AWDL for errors or implementation errors.
However, due to the increasing ubiquity of the protocol in the everyday lives of all Apple users, in 2018, a team of TU Darmstadt academics – later along with Boston Northeastern University academics – decided to take a look at AWDL, and how the protocol works.
"Considering the well-known rock history of wireless protocol security, with various errors repeatedly detected in Bluetooth, WEP, WPA2, GSM, UMTS and LTE, the lack of information regarding AWDL security is a significant concern given the growing number of services who depend on it, "the research team said.
To study it, scientists reverse engineered the AWDL protocol and then rewrote it as a C implementation called Open Wireless Link (OWL), which they later used to test the real AWDL protocol for various attacks.
"Our analysis reveals multi-security and privacy vulnerabilities that range from design flaws to implementation flaws that enable different types of attacks," the research team said.
As a result of their work, researchers discovered:
- A MitM attack that cuts and alters files transferred via AirDrop, effectively enabling the malicious files to be planted.
- A long-term device tracking attack that works despite MAC randomization and can reveal personal information, such as the name of the device owner (over 75% of experiment cases).
- A DoS attack aimed at the AWDL selection mechanism to deliberately desynchronize the target channel sequences effectively to prevent communication with other AWDL devices.
- Two additional DoS attacks on Apple's AWDL deployments in the Wi-Fi driver. The attacks make it possible to crash Apple devices nearby by injecting custom-made frames. The attacks can be directed at a single victim or affect all nearby units at the same time.
A demo video of the first attack is embedded below, showing how scientists were able to change files during transport, sent via an AWDL connection.  While AWDL contained various security features to prevent attackers from establishing MitM rogue connections to legitimate devices without authorization, the research team managed to bypass these systems.
They did this using a TCP reset attack that blocked AWDL connectivity and allowed researchers to interpose their $ 20 hardware rig between the two devices and establish legitimate connections with both sender and recipient.
AWDL is ideal for pervasive user tracking
But while MitM attacks are difficult to pull off and DoS attacks that crash devices are rarely useful, the AWDL vulnerabilities that allow user tracking are the ones that really matter.
For this attack, the resea rch team said they were able to obtain information from an AWDL connection, such as the device hostname, real MAC address (even if the device has MAC address randomization enabled), the AP device the device is connected, the device class (iOS, watchOS, macOS, tvOS, etc.), and AWDL protocol version.
This information, researchers claim, is more than enough to create profiles and track users. Combined with data from online advertisers and analytics providers, it can be used to connect devices to their real owners.
The research team worried that AWDL-based tracking technology could be distributed in stores or public spaces and track users' movement through an area.
Some bugs require a protocol / redesign of the service
When it comes to updates to these attacks, the research team said they notified Apple of all the vulnerabilities they found, between August and December 2018.
"While Apple was in able to provide a solution for a DoS attack vulnerability after our responsible disclosure, the other security and privacy vulnerabilities require redesign of some of their services, "said researchers.
Fix for AWDL DoS bug (CVE-2019- 8612) rolled out in mid-May, with the release of iOS 12.3, tvOS 12.3, watchOS 5.2.1 and macOS 10.14.5.
The rest of the AWDL vulnerabilities are likely to remain exploitable for the foreseeable future.  Some errors can affect Android devices
Furthermore, the same errors can also affect Android and other types of devices, researchers warned.
"The impact of these findings extends beyond the Apple ecosystem when the Wi-Fi Alliance adopted the AWDL as the basis for the Neighborhood Awareness Network (NAN), which may therefore be subject to similar attacks," the research team said.
"NAN, often known as Wi-Fi Aware, is a new standard supported by Android that draws on AWDL's design and thus may be vulnerable to the similar attacks presented in [our] work."
This is however, not confirmed and further research is needed on the effect of these AWDL bugs on the real world Android NAN (Wi-Fi Aware) implementations.
More details about the vulnerabilities described in this article are available in a pre-print white paper called "A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wirele ss Direct Link" as The research team will present at the USENIX security conference in mid-August, in a few weeks.
More Vulnerability Reports: