-
Network Message Field Type Classification and Recognition for Unknown Binary Protocols
Authors:
Stephan Kleber,
Milan Stute,
Matthias Hollick,
Frank Kargl
Abstract:
Reverse engineering of unknown network protocols based on recorded traffic traces enables security analyses and debugging of undocumented network services. In particular for binary protocols, existing approaches (1) lack comprehensive methods to classify or determine the data type of a discovered segment in a message, e.,g., a number, timestamp, or network address, that would allow for a semantic…
▽ More
Reverse engineering of unknown network protocols based on recorded traffic traces enables security analyses and debugging of undocumented network services. In particular for binary protocols, existing approaches (1) lack comprehensive methods to classify or determine the data type of a discovered segment in a message, e.,g., a number, timestamp, or network address, that would allow for a semantic interpretation and (2) have strong assumptions that prevent analysis of lower-layer protocols often found in IoT or mobile systems. In this paper, we propose the first generic method for analyzing unknown messages from binary protocols to reveal the data types in message fields. To this end, we split messages into segments of bytes and use their vector interpretation to calculate similarities. These can be used to create clusters of segments with the same type and, moreover, to recognize specific data types based on the clusters' characteristics. Our extensive evaluation shows that our method provides precise classification in most cases and a data-type-recognition precision of up to 100% at reasonable recall, improving the state-of-the-art by a factor between 1.3 and 3.7 in realistic scenarios. We open-source our implementation to facilitate follow-up works.
△ Less
Submitted 7 November, 2022;
originally announced January 2023.
-
Who Can Find My Devices? Security and Privacy of Apple's Crowd-Sourced Bluetooth Location Tracking System
Authors:
Alexander Heinrich,
Milan Stute,
Tim Kornhuber,
Matthias Hollick
Abstract:
Overnight, Apple has turned its hundreds-of-million-device ecosystem into the world's largest crowd-sourced location tracking network called offline finding (OF). OF leverages online finder devices to detect the presence of missing offline devices using Bluetooth and report an approximate location back to the owner via the Internet. While OF is not the first system of its kind, it is the first to…
▽ More
Overnight, Apple has turned its hundreds-of-million-device ecosystem into the world's largest crowd-sourced location tracking network called offline finding (OF). OF leverages online finder devices to detect the presence of missing offline devices using Bluetooth and report an approximate location back to the owner via the Internet. While OF is not the first system of its kind, it is the first to commit to strong privacy goals. In particular, OF aims to ensure finder anonymity, untrackability of owner devices, and confidentiality of location reports. This paper presents the first comprehensive security and privacy analysis of OF. To this end, we recover the specifications of the closed-source OF protocols by means of reverse engineering. We experimentally show that unauthorized access to the location reports allows for accurate device tracking and retrieving a user's top locations with an error in the order of 10 meters in urban areas. While we find that OF's design achieves its privacy goals, we discover two distinct design and implementation flaws that can lead to a location correlation attack and unauthorized access to the location history of the past seven days, which could deanonymize users. Apple has partially addressed the issues following our responsible disclosure. Finally, we make our research artifacts publicly available.
△ Less
Submitted 3 March, 2021;
originally announced March 2021.
-
DEMO: BTLEmap: Nmap for Bluetooth Low Energy
Authors:
Alexander Heinrich,
Milan Stute,
Matthias Hollick
Abstract:
The market for Bluetooth Low Energy devices is booming and, at the same time, has become an attractive target for adversaries. To improve BLE security at large, we present BTLEmap, an auditing application for BLE environments. BTLEmap is inspired by network discovery and security auditing tools such as Nmap for IP-based networks. It allows for device enumeration, GATT service discovery, and device…
▽ More
The market for Bluetooth Low Energy devices is booming and, at the same time, has become an attractive target for adversaries. To improve BLE security at large, we present BTLEmap, an auditing application for BLE environments. BTLEmap is inspired by network discovery and security auditing tools such as Nmap for IP-based networks. It allows for device enumeration, GATT service discovery, and device fingerprinting. It goes even further by integrating a BLE advertisement dissector, data exporter, and a user-friendly UI, including a proximity view. BTLEmap currently runs on iOS and macOS using Apple's CoreBluetooth API but also accepts alternative data inputs such as a Raspberry Pi to overcome the restricted vendor API. The open-source project is under active development and will provide more advanced capabilities such as long-term device tracking (in spite of MAC address randomization) in the future.
△ Less
Submitted 1 July, 2020;
originally announced July 2020.
-
Empirical Insights for Designing Information and Communication Technology for International Disaster Response
Authors:
Milan Stute,
Max Maass,
Tom Schons,
Marc-André Kaufhold,
Christian Reuter,
Matthias Hollick
Abstract:
Due to the increase in natural disasters in the past years, Disaster Response Organizations (DROs) are faced with the challenge of co** with more and larger operations. Currently appointed Information and Communications Technology (ICT) used for coordination and communication is sometimes outdated and does not scale, while novel technologies have the potential to greatly improve disaster respons…
▽ More
Due to the increase in natural disasters in the past years, Disaster Response Organizations (DROs) are faced with the challenge of co** with more and larger operations. Currently appointed Information and Communications Technology (ICT) used for coordination and communication is sometimes outdated and does not scale, while novel technologies have the potential to greatly improve disaster response efficiency. To allow adoption of these novel technologies, ICT system designers have to take into account the particular needs of DROs and characteristics of International Disaster Response (IDR). This work attempts to bring the humanitarian and ICT communities closer together. In this work, we analyze IDR-related documents and conduct expert interviews. Using open coding, we extract empirical insights and translate the peculiarities of DRO coordination and operation into tangible ICT design requirements. This information is based on interviews with active IDR staff as well as DRO guidelines and reports. Ultimately, the goal of this paper is to serve as a reference for future ICT research endeavors to support and increase the efficiency of IDR operations.
△ Less
Submitted 11 May, 2020;
originally announced May 2020.
-
Demo: Linux Goes Apple Picking: Cross-Platform Ad hoc Communication with Apple Wireless Direct Link
Authors:
Milan Stute,
David Kreitschmann,
Matthias Hollick
Abstract:
Apple Wireless Direct Link (AWDL) is a proprietary and undocumented wireless ad hoc protocol that Apple introduced around 2014 and which is the base for applications such as AirDrop and AirPlay. We have reverse engineered the protocol and explain its frame format and operation in our MobiCom '18 paper "One Billion Apples' Secret Sauce: Recipe of the Apple Wireless Direct Link Ad hoc Protocol." AWD…
▽ More
Apple Wireless Direct Link (AWDL) is a proprietary and undocumented wireless ad hoc protocol that Apple introduced around 2014 and which is the base for applications such as AirDrop and AirPlay. We have reverse engineered the protocol and explain its frame format and operation in our MobiCom '18 paper "One Billion Apples' Secret Sauce: Recipe of the Apple Wireless Direct Link Ad hoc Protocol." AWDL builds on the IEEE 802.11 standard and implements election, synchronization, and channel hop** mechanisms on top of it. Furthermore, AWDL features an IPv6-based data path which enables direct communication. To validate our own work, we implement a working prototype of AWDL on Linux-based systems. Our implementation is written in C, runs in userspace, and makes use of Linux's Netlink API for interactions with the system's networking stack and the pcap library for frame injection and reception. In our demonstrator, we show how our Linux system synchronizes to an existing AWDL cluster or takes over the master role itself. Furthermore, it can receive data frames from and send them to a MacBook or iPhone via AWDL. We demonstrate the data exchange via ICMPv6 echo request and replies as well as sending and receiving data over a TCP connection.
△ Less
Submitted 17 December, 2018;
originally announced December 2018.
-
One Billion Apples' Secret Sauce: Recipe for the Apple Wireless Direct Link Ad hoc Protocol
Authors:
Milan Stute,
David Kreitschmann,
Matthias Hollick
Abstract:
Apple Wireless Direct Link (AWDL) is a proprietary and undocumented IEEE 802.11-based ad hoc protocol. Apple first introduced AWDL around 2014 and has since integrated it into its entire product line, including iPhone and Mac. While we have found that AWDL drives popular applications such as AirPlay and AirDrop on more than one billion end-user devices, neither the protocol itself nor potential se…
▽ More
Apple Wireless Direct Link (AWDL) is a proprietary and undocumented IEEE 802.11-based ad hoc protocol. Apple first introduced AWDL around 2014 and has since integrated it into its entire product line, including iPhone and Mac. While we have found that AWDL drives popular applications such as AirPlay and AirDrop on more than one billion end-user devices, neither the protocol itself nor potential security and Wi-Fi coexistence issues have been studied. In this paper, we present the operation of the protocol as the result of binary and runtime analysis. In short, each AWDL node announces a sequence of Availability Windows (AWs) indicating its readiness to communicate with other AWDL nodes. An elected master node synchronizes these sequences. Outside the AWs, nodes can tune their Wi-Fi radio to a different channel to communicate with an access point, or could turn it off to save energy. Based on our analysis, we conduct experiments to study the master election process, synchronization accuracy, channel hop** dynamics, and achievable throughput. We conduct a preliminary security assessment and publish an open source Wireshark dissector for AWDL to nourish future work.
△ Less
Submitted 9 August, 2018;
originally announced August 2018.
-
Reverse Engineering Human Mobility in Large-scale Natural Disasters
Authors:
Milan Stute,
Max Maass,
Tom Schons,
Matthias Hollick
Abstract:
Delay/Disruption-Tolerant Networks (DTNs) have been around for more than a decade and have especially been proposed to be used in scenarios where communication infrastructure is unavailable. In such scenarios, DTNs can offer a best-effort communication service by exploiting user mobility. Natural disasters are an important application scenario for DTNs when the cellular network is destroyed by nat…
▽ More
Delay/Disruption-Tolerant Networks (DTNs) have been around for more than a decade and have especially been proposed to be used in scenarios where communication infrastructure is unavailable. In such scenarios, DTNs can offer a best-effort communication service by exploiting user mobility. Natural disasters are an important application scenario for DTNs when the cellular network is destroyed by natural forces. To assess the performance of such networks before deployment, we require appropriate knowledge of human mobility.
In this paper, we address this problem by designing, implementing, and evaluating a novel mobility model for large-scale natural disasters. Due to the lack of GPS traces, we reverse-engineer human mobility of past natural disasters (focusing on 2010 Haiti earthquake and 2013 Typhoon Haiyan) by leveraging knowledge of 126 experts from 71 Disaster Response Organizations (DROs). By means of simulation-based experiments, we compare and contrast our mobility model to other well-known models, and evaluate their impact on DTN performance. Finally, we make our source code available to the public.
△ Less
Submitted 21 September, 2017; v1 submitted 7 August, 2017;
originally announced August 2017.