iPhone Bluetooth Traffic Leaks Phone Numbers -- in Certain Scenarios (zdnet.com) 51
Security researchers say they can extract a user's phone number from the Bluetooth traffic coming from an iPhone smartphone during certain operations. From a report: The attack works because, when Bluetooth is enabled on an Apple device, the device sends BLE (Bluetooth Low Energy) packets in all directions, broadcasting the device's position and various details. This behavior is part of the Apple Wireless Direct Link (AWDL), a protocol that can work either via WiFi or BLE to interconnect and allow data transfers between nearby devices. Previous academic research has revealed that AWDL BLE traffic contains device identification details such as the phone status, Wi-Fi status, OS version, buffer availability, and others. However, in new research published last week, security researchers from Hexway said that during certain operations these BLE packets can also contain a SHA256 hash of the device's phone number.
Hash or phone# (Score:3)
Which is it? Does it leak a cryptographically-secure hash of some not-so-private data, or does it leak the device's phone number?
Re:Hash or phone# (Score:4, Funny)
Next up, HTTPS leaks encrypted web traffic.
You mean other people can read Slashdot? (Score:1)
I demand my rights! It's mine, all mine.
Re: (Score:1)
Not sure, but it wouldn't really be difficult to have a table of prehashed values for every possible phone number. Phone number is a pretty small search space and thus hashing doesn't really provide a lot of protection if the attacker knows that it is a phone number that is hashed
Re: (Score:2)
SHA256 always produces a large hash, you're still looking at a 256-bit number. Also, phone numbers come in all sorts of variations +1 212 555 0002 or (212) 555 0002 or 212-555-0002 and that's only for US. Apple sends whatever version is in your address book, not formatted in a specific format (although you can make an educated guess) .
Re: (Score:2)
Re: (Score:1)
I think you misunderstood, or you're really stupid. Just because it outputs a large/long hash, doesn't mean you can't brute force all possibilities if your unique inputs are only a few hundred thousand combinations.
Re: (Score:2)
A fucking SHA265 hash? (Score:2)
It MIGHT leak a SHA256 hash of the user's phone number. Quiiiiiite a bit different than what the headline would have you believe. What the fuck has happened to journalism...
Re: (Score:1)
Re: (Score:2)
Shit, are you saying they're making more moron editors?
Re: (Score:2)
From TFA
It sounds like the hash is generated the same way every time, allowing the
Not exactly the phone number (Score:2)
The first 3 bytes of a 32-byte hash is not quite the same thing as "leaking the phone number". It's leaking information that narrows down the phone number to a set of possible phone numbers, and maybe you can figure out what the actual phone number is using some contextual information like probably area codes.
Re: (Score:2)
It's leaking information that narrows down the phone number to a set of possible phone numbers
That is not how cryptographic hashes work.
Re: (Score:2)
It is if it's two devices with the same list of phone numbers that are trying to tell each other which number to use in their list.
Re: (Score:2)
Yes, it is how partial cryptographic hashes of unsalted constrained input works. If you constrain the potential dataset to North American telephone numbers, you only need to compute around 10 billion hashes, which is a fast real-time operation. It takes a GTX 1080 slightly more than three seconds to calculate 10 billion SHA-256 hashes. Since you only have the first 24-bits of the 256-bit hash (per TFA), that will give you a set of possible telephone numbers. If you have some additional context (such as "the
Re: (Score:2)
If you're in BLE range of a person, just snap a picture and use Facebook Graph Search to find the person, their friends and thus likely contacts. You could also just use a GSM/CDMA sniffer to not just sniff out the phone number but the entire conversation.
Cell phones leak information about us all the time, the question is how important is the information vs the convenience of having a cell phone.
Re: (Score:1)
It's leaking information that narrows down the phone number to a set of possible phone numbers
That is not how cryptographic hashes work.
Except that it is precisely how cryptographic hashes work. If you don't believe it, I invite you to play a game. Choose a random phone number in the 213 area code, give me the first 6 hex digits of the sha256 hash, and I will reply with a list of around 1-3 possible phone numbers (with a very rare worst case of 8 possibilities.)
Here is an example Linux command line that you can use to get the hash:
$ echo -n +12138675309 | sha256sum | cut -c 1-6
4b7da2
This is an example of a known plaintext attack. Knowing
Err, extract data from SHA256? (Score:2)
security researchers from Hexway said that during certain operations these BLE packets can also contain a SHA256 hash of the device's phone number.
Since when has SHA256 been broken? Why hasn't anyone told me?
Re: (Score:2)
A GTX 1080 can compute nearly 3 billion hashes per second, so you can basically do the search in realtime with a decent GPU.
Re: (Score:2)
Two words: Rainbow Tables
Re: (Score:2)
Any unsalted cryptographic hash is effectively broken if you have a very limited set of possible inputs. GPUs can calculate billions of hashes per second, and there are only so many valid telephone numbers in the world to check.
Re: (Score:2)
Unless it's a telemarketer, then you get 20-digit phone numbers or even 2 digit phone numbers. Likewise, your address book could contain the phone numbers without area code or in different formats with country codes. The space is virtually endless and having certainty in court about it is an entirely different thing.
Re: (Score:2)
Apple is special (Score:2)