1. bookVolume 2021 (2021): Issue 3 (July 2021)
Zeitschriftendaten
License
Format
Zeitschrift
Erstveröffentlichung
16 Apr 2015
Erscheinungsweise
4 Hefte pro Jahr
Sprachen
Englisch
access type Open Access

Who Can Find My Devices? Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System

Online veröffentlicht: 27 Apr 2021
Seitenbereich: 227 - 245
Eingereicht: 30 Nov 2020
Akzeptiert: 16 Mar 2021
Zeitschriftendaten
License
Format
Zeitschrift
Erstveröffentlichung
16 Apr 2015
Erscheinungsweise
4 Hefte pro Jahr
Sprachen
Englisch

[1] Oleg Afonin. Extracting and Decrypting iOS Keychain: Physical, Logical and Cloud Options Explored. Elcomsoft Co. Ltd. 2020. url: https://blog.elcomsoft.com/2020/08/extracting-and-decrypting-ios-keychain-physical-logical-and-cloud-options-explored/ (visited on 02/08/2021).Search in Google Scholar

[2] Oleg Afonin. iCloud Authentication Tokens Inside Out. Elcomsoft Co. Ltd. 2017. url: https://blog.elcomsoft.com/2017/11/icloud-authentication-tokens-inside-out (visited on 09/03/2020).Search in Google Scholar

[3] Apple Inc. App Review. url: https://developer.apple.com/app-store/review/ (visited on 02/09/2021).Search in Google Scholar

[4] Apple Inc. Apple Platform Security. 2020. url: https://support.apple.com/guide/security/ (visited on 10/10/2020).Search in Google Scholar

[5] Apple Inc. Core Location. url: https://developer.apple.com/documentation/corelocation/ (visited on 10/10/2020).Search in Google Scholar

[6] Apple Inc. Find My Network Accessory Specification. Version Release R1. 2020. url: https://developer.apple.com/find-my/.Search in Google Scholar

[7] Apple Inc. Maximizing Battery Life and Lifespan. 2020. url: https://www.apple.com/batteries/maximizing-performance/ (visited on 10/07/2020).Search in Google Scholar

[8] Apple Inc. Notarizing macOS Software Before Distribution. url: https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution (visited on 11/24/2020).Search in Google Scholar

[9] Apple Inc. Security. url: https://developer.apple.com/security/ (visited on 09/16/2020).Search in Google Scholar

[10] Apple Inc. WWDC 2019 Keynote. 2019. url: https://developer.apple.com/videos/play/wwdc2019/101/ (visited on 08/17/2020).Search in Google Scholar

[11] Apple Inc. WWDC 2020 Keynote. 2020. url: https://developer.apple.com/videos/play/wwdc2020/101/ (visited on 08/17/2020).Search in Google Scholar

[12] Apple Inc. XPC. url: https://developer.apple.com/documentation/xpc (visited on 09/03/2020).Search in Google Scholar

[13] Diego F. Aranha, Paulo S. L. M. Barreto, Geovandro C. C. F. Pereira, and Jefferson E. Ricardini. “A Note on High-Security General-Purpose Elliptic Curves.” In: Cryptology ePrint Archive (2013). url: https://eprint.iacr.org/2013/647.Search in Google Scholar

[14] Ethan Arbuckle. Unredacting Private os_log Messages on iOS. 2018. url: https://github.com/EthanArbuckle/unredact-private-os_logs (visited on 02/10/2021).Search in Google Scholar

[15] Xiaolong Bai, Luyi Xing, Nan Zhang, Xiaofeng Wang, Xiaojing Liao, Tongxin Li, and Shi-Min Hu. “Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf.” In: IEEE Symposium on Security and Privacy (S&P). 2016. doi: 10.1109/SP.2016.45.Search in Google Scholar

[16] Elaine Barker, Lily Chen, and Richard Davis. Recommendation for Key-Derivation Methods in Key-Establishment Schemes. Special Publication 800-56C Rev. 1. 2018. doi: 10.6028/nist.sp.800-56cr1.Search in Google Scholar

[17] Daniel J. Bernstein. “Curve25519: New Diffie-Hellman Speed Records.” In: Public Key Cryptography - PKC 2006. Springer Berlin Heidelberg, 2006. doi: 10.1007/11745853_14.Search in Google Scholar

[18] Daniel J. Bernstein and Tanja Lange. SafeCurves: Choosing Safe Curves for Elliptic-Curve Cryptography. 2020. url: https://safecurves.cr.yp.to (visited on 10/07/2020).Search in Google Scholar

[19] Bluetooth SIG. Bluetooth Core Specification Version 5.2. Tech. rep. 2019.Search in Google Scholar

[20] Daniel R. L. Brown. Standards for Efficient Cryptography 1 (SEC 1). 2009.Search in Google Scholar

[21] Guillaume Celosia and Mathieu Cunche. “Discontinued Privacy: Personal Data Leaks in Apple Bluetooth-Low-Energy Continuity Protocols.” In: Privacy Enhancing Technologies (2020). doi: 10.2478/popets-2020-0003.Search in Google Scholar

[22] William S. Cleveland and Susan J. Devlin. “Locally Weighted Regression: An Approach to Regression Analysis by Local Fitting.” In: Journal of the American Statistical Association 83.403 (1988). doi: 10.1080/01621459.1988.10478639.Search in Google Scholar

[23] Quang Do, Ben Martini, and Kim-Kwang Raymond Choo. “The Role of the Adversary Model in Applied Security Research.” In: Computers & Security 81 (2019). doi: 10.1016/j.cose.2018.12.002.Search in Google Scholar

[24] EPSG Geodetic Parameter Dataset. WGS 84 (EPSG:4326). url: https://epsg.org/crs_4326/WGS-84.html (visited on 10/13/2020).Search in Google Scholar

[25] EPSG Geodetic Parameter Dataset. WGS 84 / Pseudo-Mercator (EPSG:3857). url: https://epsg.org/crs_3857/WGS-84-Pseudo-Mercator.html (visited on 10/13/2020).Search in Google Scholar

[26] Martin Ester, Hans-Peter Kriegel, Jörg Sander, and Xiaowei Xu. “A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise.” In: International Conference on Knowledge Discovery and Data Mining. KDD-96. AAAI Press, 1996. url: http://www.aaai.org/Library/KDD/1996/kdd96-037.php.Search in Google Scholar

[27] George Garside. Show Private Log Messages in Catalina’s Console.app. 2020. url: https://georgegarside.com/blog/macos/sierra-console-private/ (visited on 09/15/2020).Search in Google Scholar

[28] Matthew Green. How does Apple (privately) find your o~ine devices? 2019. url: https://blog.cryptographyengineering.com/2019/06/05/how-does-apple-privately-find-your-o~ine-devices/ (visited on 09/17/2020).Search in Google Scholar

[29] Andy Greenberg. The Clever Cryptography Behind Apple’s ’Find My’ Feature. 2019. url: https://www.wired.com/story/apple-find-my-cryptography-bluetooth/ (visited on 09/17/2020).Search in Google Scholar

[30] Alexander Heinrich, Matthias Hollick, Thomas Schneider, Milan Stute, and Christian Weinert. “PrivateDrop: Practical Privacy-Preserving Authentication for Apple AirDrop.” In: USENIX Security Symposium. To appear. USENIX Association, 2021.Search in Google Scholar

[31] Alexander Heinrich, Milan Stute, and Matthias Hollick. “BTLEmap: Nmap for Bluetooth Low Energy.” In: Conference on Security and Privacy in Wireless and Mobile Networks. ACM, 2020. doi: 10.1145/3395351.3401796.Search in Google Scholar

[32] Hessisches Landesprüfungs- und Untersuchungsamt im Gesundheitswesen. Bulletin Stand 29.07.2020, 14 Uhr. 2020. url: https://soziales.hessen.de/sites/default/files/media/2020_07_29_bulletin_coronavirus.pdf (visited on 11/24/2020).Search in Google Scholar

[33] American National Standards Institute. ANSI X.963 Public-Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography. Tech. rep. 2001.Search in Google Scholar

[34] Charles F. F. Karney. “Algorithms for Geodesics.” In: Journal of Geodesy 87 (2013). doi: 10.1007/s00190-012-0578-z.Search in Google Scholar

[35] Ivan Krsti¢. “Behind the Scenes of iOS and Mac Security.” In: Black Hat USA 2019. 2019. url: https://www.youtube.com/watch?v=3byNNUReyvE&t=2398s (visited on 09/09/2020).Search in Google Scholar

[36] Jeremy Martin, Douglas Alpuche, Kristina Bodeman, Lamont Brown, Ellis Fenske, Lucas Foppe, Travis Mayberry, Erik Rye, Brandon Sipes, and Sam Teplov. “Handoff All Your Privacy: A Review of Apple’s Bluetooth Low Energy Implementation.” In: (2019). doi: 10.2478/popets-2019-0057.Search in Google Scholar

[37] David A. McGrew, Kevin M. Igoe, and Margaret Salter. Fundamental Elliptic Curve Cryptography Algorithms. RFC 6090. IETF, 2011. doi: 10.17487/RFC6090.Search in Google Scholar

[38] Yves-Alexandre de Montjoye, César A. Hidalgo, Michel Verleysen, and Vincent D. Blondel. “Unique in the Crowd: The Privacy Bounds of Human Mobility.” In: Scientific Reports 3.1 (2013). doi: 10.1038/srep01376.Search in Google Scholar

[39] National Institute for Standards and Technology. Digital Signature Standard. 186-2. 2000. url: http://csrc.nist.gov/publications/fips/archive/fips186-2/fips186-2.pdf.Search in Google Scholar

[40] Ole André V. Ravnås. Frida: A World-Class Dynamic Instrumentation Framework. 2020. url: https://frida.re (visited on 09/23/2020).Search in Google Scholar

[41] Julian F. Reschke. The ’Basic’ HTTP Authentication Scheme. RFC 7617. IETF, 2015. doi: 10.17487/RFC7617.Search in Google Scholar

[42] Jan Ruge, Jiska Classen, Francesco Gringoli, and Matthias Hollick. “Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets.” In: USENIX Security Symposium. USENIX Association, 2020. url: https://www.usenix.org/conference/usenixsecurity20/presentation/ruge.Search in Google Scholar

[43] Erich Schubert, Jörg Sander, Martin Ester, Hans Peter Kriegel, and Xiaowei Xu. “DBSCAN Revisited, Revisited: Why and How You Should (Still) Use DBSCAN.” In: ACM Transactions on Database Systems 42.3 (2017). doi: 10 . 1145/3068335.Search in Google Scholar

[44] Milan Stute. “Availability by Design: Practical Denial-of-Service-Resilient Distributed Wireless Networks.” PhD thesis. 2020. doi: 10.25534/tuprints-00011457.Search in Google Scholar

[45] Milan Stute, Alexander Heinrich, Jannik Lorenz, and Matthias Hollick. “Disrupting Continuity of Apple’s Wireless Ecosystem Security: New Tracking, DoS, and MitM Attacks on iOS and macOS Through Bluetooth Low Energy, AWDL, and Wi-Fi.” In: USENIX Security Symposium. To appear. USENIX Association, 2021.Search in Google Scholar

[46] Milan Stute, David Kreitschmann, and Matthias Hollick. “One Billion Apples’ Secret Sauce: Recipe for the Apple Wireless Direct Link Ad hoc Protocol.” In: International Conference on Mobile Computing and Networking. ACM, 2018. doi: 10.1145/3241539.3241566.Search in Google Scholar

[47] Milan Stute, David Kreitschmann, and Matthias Hollick. The Open Wireless Link Project. 2018. url: https://owlink.org.Search in Google Scholar

[48] Milan Stute, Sashank Narain, Alex Mariotto, Alexander Heinrich, David Kreitschmann, Guevara Noubir, and Matthias Hollick. “A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link.” In: USENIX Security Symposium. USENIX Association, 2019. url: https://www.usenix.org/conference/usenixsecurity19/presentation/stute.Search in Google Scholar

[49] Bernd Thomas. SensorLog. 2020. url: https://apps.apple.com/us/app/sensorlog/id388014573 (visited on 09/04/2020).Search in Google Scholar

[50] Nghia Tran and Hang Nguyen. Proxyman. url: https://proxyman.io (visited on 09/15/2020).Search in Google Scholar

[51] Mira Weller, Jiska Classen, Fabian Ullrich, Denis Waßmann, and Erik Tews. “Lost and Found: Stopping Bluetooth Finders from Leaking Private Information.” In: Conference on Security and Privacy in Wireless and Mobile Networks. ACM, 2020. doi: 10.1145/3395351.3399422.Search in Google Scholar

[52] Hui Zang and Jean Bolot. “Anonymization of Location Data Does Not Work: A Large-Scale Measurement Study.” In: International Conference on Mobile Computing and Networking. ACM, 2011. doi: 10.1145/2030613.2030630.Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo