Hack solved as of iOS 11.2 that accesses services and information from Bluetooth-enabled devices

Technology description

Bluetooth communications are on the rise. Millions of users use the technology to connect to peripherals that simplify and provide greater convenience and experience. There is a trick or hack for iOS 11.1.2 and earlier that exploits profile management causing privacy impact to users who use Bluetooth technology on a daily basis. A lot of information about you as a user and your background can be obtained from the iOS device information leakage caused by improper profile management.

Functionalities

When the iOS system detects a Bluetooth signal, the user can choose which device to connect to.

The speaker that appears in Bluetooth discovery is advertising the A2DP profile, a profile for playing audio over Bluetooth connection. When the user clicks on it, pairing is completed without the need for a PIN on Bluetooth 2.1 versions or higher.

After few seconds, the Bluetooth speaker may display, for example, its PBAP profile. If this happens, iOS will activate the new profile without any notification to the user.

Be aware of a weakness or extra configuration accessibility in iOS. When the profile change is performed without notification, contact synchronisation is enabled by default, giving access to it. In other words, DirtyTooth is a trick or hack that can exploit this accessibility setting.

The provided tool can start or stop a Bluetooth agent that waits for a device to pair with it. This agent will not ask for any kind of pin or token to perform the pairing, as it is a Bluetooth 4.0 implementation (Raspberry Pi 3 case) to maximise simplicity for the user.

Once an iOS device has been paired and connected, the DirtyTooth script will be called automatically, which is responsible for collecting the phonebook and call history information in the /root/dirtytooth directory.

No further interaction is required, it simply works automatically.
Innovation Technologies

Recover Popcorn

This tool recovers the password required to decrypt those files encrypted by the first version of PopCorn ransomware that appeared by the end of 2016.

DirtyTooth for Raspberry Pi

This tool represents a software implementation of the DirtyTooth Speaker in the form of a .deb package for Raspberry Pi.

Wannacry File Restorer

Wannacry File Restorer allows recovering files left in the middle of the Wannacry malware encryption process on a computer. Thanks to this PoC, these files can be recovered.