Friendly advice from Red Balloon Security: Just pay the extra $2
Recently, we wanted to use some wired headphones with an iPhone, which sadly lacks a headphone jack. The nearest deli offered a solution: a Lightning-to-headphone jack adapter for only $7. Got to love your local New York City bodega.ย
ย
But a wrinkle appeared: Plugging in the adapter made the phone pop up a dialog to pair with a BeatsX device, which changed to โBaetsโ once a Bluetooth connection was established. Shouldnโt this thing be a simple digital-to-analog converter? Why is Bluetooth involved? What makes the iPhone think itโs from Beats? That’s too many questions to ignore: We had to dig into this unexpected embedded device.
ย ย
And here’s the short-take of our analysis: Beware the transposed vowels. โBaetsโ is not what it would want you to believe it is.ย
Once connected, the headphones work as if directly plugged into the phone. But we found that Bluetooth must remain on to keep listening, and the phone insists it is connected to a Bluetooth device, called โBaets.โ We also noticed the phoneโs battery draining much faster than usual.
ย
This mysterious behavior piqued our interest. Red Balloon specializes in embedded security and reverse engineering, so interest gave way to action. We promptly bought a dozen more of the same adapter model to tear down and study.
The first thing we noted is none of these adapters had the Apple Made for iPhone/iPad (MFi) chip youโll find in genuine, approved accessories and cables. Apple licenses that chip to control who is allowed to produce Lightning devices. Instead, each of these knock-off adapters draws power from the Apple device to power its own Bluetooth module. The module then broadcasts that it is ready to pair with the Apple device, though in fact any nearby device can now pair with it and play audio.ย
ย
Presumably, using Bluetooth is cheaper than licensing Appleโs chip, which is why the knockoffs costs $2 less than the genuine Apple version.
ย
This initial finding fueled two research objectives: 1) To discover how the adapter convinced the Apple device to power the module; and 2) to discover how the adapter displayed the pop-up window.
We encountered three different hardware configurationsย on these devices; they appear to have many similarities, but it’s unclear if the same manufacturer makes them. One of the variations does not work: It doesn’t appear to power up, generates no pop-ups, and has no Bluetooth Classic connection. But this variation successfully draws power from the Apple device, so the failure is likely in the circuit or Bluetooth chip.ย
ย
Overall, the hardware is not very complex and lacks components seen in a genuine adapter, including protection circuitry.
ย
First working counterfeit: Lightning to headphone jack
Second working counterfeit: Lightning to headphone jack
Third counterfeit: Lightning toย headphone jack (non-functional, not working)
ย
Legitimate Apple adapter. Credit: iFixit
One side of the PCB is the Bluetooth chip and antenna on the active adapters. On the other side is a crystal oscillator clock, which connects to the Bluetooth chip. The chip connects to the accessory power (ACC_PWR) pin of the Lightning connector but does not automatically receive power. The final chip negotiates with the Apple device to draw power through the Lightning port. This negotiation chip is vital to enabling power for the Bluetooth module.ย
ย
Lightning Connector pinout according to patent filing:
https://web.archive.org/web/20190801205452/http://ramtin-amin.fr/tristar.htmlย
ย
In Lightning connectors, the pins on each side of the connector do not mirror each other, so the control chip must identify the orientation of the connector before proceeding. In addition, the Lightning connector has a dynamic pinout controlled by the Lightning port control chip in the Apple device, which negotiates with a security chip in the cable. (Nyan Satanโs research into the Lightning port provides a good baseline for understanding the communication between any accessory and the Apple device.)
ย
The female Lightning port control chip is codenamed Hydra (this is a newer version that replaced the chip codenamed Tristar), and has the label CBTL1614A1 on the iPhone 12, according to a teardown by iFixit, which identifies it as a multiplexer. Apple guards details on these chips, but some data sheets have leaked in the past, revealing some expected functions. HiFive is the codename of the security chip in the cable, labeled as SN2025 or BQ2025 in male connectors. These chips are only available to MFi-certified manufacturers, but Apple only knows the internal behavior to prevent counterfeits. We will focus on the HiFive chip, since we found replica versions in our Baets adapters.
ย
The HiFive chip identifies the cable and negotiates for power through the Texas Instruments SDQ protocol, where Apple’s specific implementation is referred to as IDBUS. Our research utilized the SDQAnalyzer plugin for the Saleae Logic Analyzer. The negotiations include identifying information from the accessory and the Apple device. Still, every individual accessory contains unique information that makes it difficult to reverse engineer and counterfeit without being detected.
ย
Replicating the communication of a single, legitimate Apple accessory is enough to draw power. This means that every knockoff chip from the same model identifies itself as the same individual accessory or cable to the Apple device (with the same serial number or unique data as the single cloned cable’s HiFive chip). As a result, an iOS update can block this handshake and break all the devices using the same knockoff chip that shares a single serial number. This may explain why some cheap charging cables and accessories mysteriously stop working or produce error/unlicensed warnings when plugged in. The owner of the legitimate cloned cable may also be out of luck, but the impact would be limited to that individual.
In 2016, electronupdate decapped an earlier version of these third-party chips and revealed a much simpler die than you’ll find in the legitimate TI BQ2025 chip used in authentic lightning cables.
ย
Decapped third-party chip
http://electronupdate.blogspot.com/2016/09/3rd-party-apple-lightning.htmlย
ย
Authentic TI BQ2025 chip decapped
Credit: 9to5mac.com
Many chips advertise the ability to negotiate power through the Lightning port. Knockoff manufacturers continue to create many variations as old versions stop working. One of our Baets devices uses an unknown chip labeled “24..” The others use the MT821B and 821B, which all share the same accessory serial number. Online posts referencingย other variations of uncertified power negotiating chips include the CY262, AD139, and ASB260, to name a few. It’s unknown if any of these chips or adapters come from the same manufacturers.
ย
Each chip receives the 2.65V signal from the ACC_ID line and outputs 1.9V to one of the data lines.
ย
Removing the constant high signal from the data line does not affect the negotiation but is necessary for keeping power to the device when the screen is off. Setting the data line consistently high at 1.9V turns on the screen. Some of our adapters do not support sending over the data line in both orientations, so the Bluetooth module turns off when the Apple device stops supplying power when it turns its screen off.
Communication is half-duplex bidirectional, using the SDQ protocol. Like the 1-Wire protocol, the host and adapter communicate over the ACC_ID line only. The female Lightning port repeatedly sends requests for connected accessories to identify themselves. It alternates the pins of the request to determine the accessory orientation.
ย
After receiving the request, the chip must first identify itself with the Hydra chip. In this proprietary protocol, if the first byte is even, it is a request, and the request ID + 1 is the response code. The initial request for identification has ID 0x74 and the response is Request ID + 1 (0x75). Not all the types of requests are known, but a list of known commands has been created by @spbdimka.
ย
Incomplete List of IDBUS Request Types
https://twitter.com/spbdimka/status/1118597972760125440ย
ย
We observed many of these codes during our investigation. Others are not listed explicitly by @spbdimka, but can be inferred since each response is just an incremented code of the request. The encoding of the data is unknown, but we can get a general idea of the process necessary to request power from the device. The adapter responds to these requests with incremented response codes, as expected. The negotiation from that adapter is shown below:
After the 0x76 request receives a response, the ACC_PWR line goes high at either 3.3V or 4.1V. If output is 4.1V, then it will eventually correct down to 3.3V.ย
This powers on the Bluetooth module, which will result in the pop-up window appearing on the device, prompting the user to connect. The ID of the adapter that is responding is 0x11F000000000. While it matches the same pattern of other accessories and cables, it does not match authentic Lightning to headphone jack adapters that have ID 0x04F100000000. The Baets adapters do not use the legitimate identifier, likely due to the fact that legitimate adapters directly convert audio signals and need more functionality than the knock-off versions, which only need to draw 3.3V from the accessory power line.
The Module and Accessory Serial Numbers are sent in plain ASCII format, but it is unknown if they correspond to the same accessory. The messages include additional information for an unknown purpose.
The last two commands are the Apple Deviceโs Model Number and Software Version in ASCII with the following format:
Changing the device and the iOS version we used to test resulted in different values for the Model Number and Software Version, as would be expected.
Other research, including Handoff All Your Privacy and Discontinued Privacy, has highlighted Appleโs use of Bluetooth Low Energy (BLE) to enable Continuity features such as AirDrop, AirPrint, and Handoff. It is also used for Proximity Pairing with AirPods and other Bluetooth headphones made by Apple. We found that it was possible to duplicate the behavior to show the prompt on any nearby Apple devices. Pressing โConnectโ will pair with a Bluetooth device of our choosing while itโs posing as any model of Apple wireless headphones.
Pop-Up Window to connect AirPods
When Bluetooth is on, Apple devices send and receive BLE messages in the background. New research from the Technical University of Darmstadt in Germany highlights that these BLE advertisements continue when iPhones are turned off. These messages are receivable by any nearby BLE devices, even if they are intended for communication with paired devices. iPhones and iPads are the most active, constantly advertising their status, including whether they are locked, unlocked, driving, playing music, watching a video, and making or receiving a call. Bluetooth headphones (e.g., AirPods, Beats) also advertise their status and battery level. Apple Watches use BLE to communicate their connectivity to a paired iPhone.
There is a lot of other data that Apple devices are freely advertising over the air using BLE. The BLE advertising packets are well documented and used by many popular devices and phones similar to the Apple Continuity protocols. Appleโs format is known from prior research:
Structure of a BLE advertisement packetย
Celosia, G., & Cunche, M. (2020)
The Manufacturer Specific Data includes the length of the data, the Apple company identifier (0x004C), and then the Continuity Message that is different for each respective Continuity protocol. We focused on the Continuity Message for the Proximity Pairing feature for this research. It has been previously documented as having only this format:
Proximity Pairing (AirPods)
Celosia, G., & Cunche, M. (2020)
ย
However, when another device receives this advertisement from very close range, it recognizes that it is near someone elseโs AirPods and alerts the user.
We found that an additional format is implemented for headphones ready to pair with a new device. The different setting is denoted by setting the third byte to 0x00. This format is shown below with an example of data we observed from the adapters:
Advertising data from Baets Adapter:
The Bluetooth Address specifies the address of any device to pair with using Bluetooth Classic. This does not have to be the adapter itself. Once paired, the adapter will stop broadcasting over BLE and maintain the Bluetooth Classic connection. The device model specifies which image and name appear on the connect screen. All the adapters we investigated used the device model 0x0520 to appear as BeatsX earphones. Other possible device models were checked using scripts modified from Hexwayโs Apple BLEEE project, resulting in the following, likely incomplete list:
We only tested these ranges of codes, so there are likely other possible values. Any unknown device model results in a screen prompting the device to check for a software update. There is an option to check for updates or setup.ย
ย โSet up with limited functionality.โ
with unknown device model, where โRingRingโ is a cell phone
(not headphones)
Changing the unknown field does affect whether the dialog will pop up at all, if it will pop up and disappear immediately, or if it stays on the screen as normal. In addition, some values will not result in a pop-up window appearing, depending on the device model advertised. The real purpose of this field is unknown and requires further testing.
Typically, if the pop-up window is closed, then another will not appear until the user turns their screen off and on again. However, if the unique tag field is changed randomly, the pop-up will occur about every 5 seconds after the user closes the previous window. This effectively prevents nearby users from using their devices because they must constantly close these windows. Other purposes for this field may exist but are not known at this time.
The Bluetooth modules found in the adapters implement the Proximity Pairing format for advertising through BLE. These modules are meant to replicate Appleโs W1 or H1 Bluetooth chip that is used in their Bluetooth headphones. The manufacturers of these counterfeit chips advertise the functionality for use in cheap Bluetooth headphones to make the pairing process more seamless. These chips can also use the Proximity Pairing packet format to advise the iPhone of the headphonesโ battery level.
ย
Promotional presentation/document for YC1168 Bluetooth chip
with pop-up window functionality.
Source: https://zhuanlan.zhihu.com/p/111406089ย
ย
As a result, these chips are becoming widely used in fake AirPods or Beats headphones, making it more difficult to identify counterfeits. In order to verify legitimate headphones, the user must either check the serial number directly with Apple or recognize the differences in quality, which may be difficult without prior experience. Our bodega Baets adapters came in boxes that looked nearly identical to the Apple version, but without the Apple logo.
The use of chips to negotiate drawing power from the device presents a number of risks. Allowing unlicensed devices to connect directly to the hardware presents some threats to Appleโs business model, but even more importantly to the consumer, as it may cause damage to the Apple device. There is no protection circuitry in the adapter that protects the Apple device if the adapter somehow sends too much voltage or current back through the Lightning port. We have observed quick battery drain, but these adapters may also damage the Apple device, which has been shown to happen when using unlicensed charging cables.
ย
The ability to make a window pop-up on the device to connect to an unknown device is also a risk. Some Bluetooth devices, like the AirPods Pro, have the capability of using Siri and can then read and send messages, make and receive calls, read contacts, and have other functions that present a security risk. You would not want to let an arbitrary Bluetooth device belonging to someone else access your text messages.
ย
Dialogue shown after connecting Bluetooth device disguised as AirPods Pro
ย
The only way to turn off Proximity Pairing and prevent these dialogs is to turn off Bluetooth entirely. Once the dialog appears, the only way to close it is to press the small โXโ button. Clicking around the dialog does not get rid of the pop-up window. During testing, if the Apple device tries connecting to the Bluetooth address of headphones that are connected to another device, it will disconnect them. This makes it possible to create a string of events that would make an attack more likely to succeed.ย
ย
So, if you see an endless stream of random pairing requests on your Apple device, now you know your sole option:
Turn off Bluetooth and keep it off.ย
– By Jared Gonzales and Joel Cretan
Want to learn how the hardware around you works? Come work with us!ย
Shoutout to RBS alum Trey Keown for the title of this blog post.
To learn more about Red Balloon Security‘s offers, visit ourย Products page or contact us: [email protected]
Friendly advice from Red Balloon Security: Just pay the extra $2
Recently, we wanted to use some wired headphones with an iPhone, which sadly lacks a headphone jack. The nearest deli offered a solution: a Lightning-to-headphone jack adapter for only $7. Got to love your local New York City bodega.ย
ย
But a wrinkle appeared: Plugging in the adapter made the phone pop up a dialog to pair with a BeatsX device, which changed to โBaetsโ once a Bluetooth connection was established. Shouldnโt this thing be a simple digital-to-analog converter? Why is Bluetooth involved? What makes the iPhone think itโs from Beats? That’s too many questions to ignore: We had to dig into this unexpected embedded device.
ย ย
And here’s the short-take of our analysis: Beware the transposed vowels. โBaetsโ is not what it would want you to believe it is.ย
Once connected, the headphones work as if directly plugged into the phone. But we found that Bluetooth must remain on to keep listening, and the phone insists it is connected to a Bluetooth device, called โBaets.โ We also noticed the phoneโs battery draining much faster than usual.
ย
This mysterious behavior piqued our interest. Red Balloon specializes in embedded security and reverse engineering, so interest gave way to action. We promptly bought a dozen more of the same adapter model to tear down and study.
The first thing we noted is none of these adapters has the Apple Made for iPhone/iPad (MFi) chip youโll find in genuine, approved accessories and cables; Apple licenses that chip to control who is allowed to produce Lightning devices.
ย
Instead, each of these knock-off adapters draws power from the Apple device to power its own Bluetooth module. This module then broadcasts that it is ready to pair with the Apple device, though in fact any nearby device can now pair with it and play audio.ย
Presumably, using Bluetooth is cheaper than licensing Appleโs chip, which is why the knockoffs costs $2 less than the genuine Apple version.
ย
This initial finding fueled two research objectives: ย To discover how the adapter convinced the Apple device to power the module; and to discover how the adapter displayed the pop-up window.
We encountered three different hardware configurationsย on these devices; they appear to have many similarities, but it’s unclear if the same manufacturer makes them. One of the variations does not work: It doesn’t appear to power up, generates no pop-ups, and has no Bluetooth Classic connection. But this variation successfully draws power from the Apple device, so the failure is likely in the circuit or Bluetooth chip.ย
ย
Overall, the hardware is not very complex and lacks components seen in a genuine adapter, including protection circuitry.
ย
First working counterfeit: Lightning to headphone jack
Second working counterfeit: Lightning to headphone jack
Third counterfeit: Lightning toย headphone jack (non-functional, not working)
ย
Legitimate Apple adapter. Credit: iFixit
One side of the PCB is the Bluetooth chip and antenna on the active adapters. On the other side is a crystal oscillator clock, which connects to the Bluetooth chip. The chip connects to the accessory power (ACC_PWR) pin of the Lightning connector but does not automatically receive power. The final chip negotiates with the Apple device to draw power through the Lightning port. This negotiation chip is vital to enabling power for the Bluetooth module.ย
ย
Lightning Connector pinout according to patent filing:
https://web.archive.org/web/20190801205452/http://ramtin-amin.fr/tristar.htmlย
ย
In Lightning connectors, the pins on each side of the connector do not mirror each other, so the control chip must identify the orientation of the connector before proceeding. In addition, the Lightning connector has a dynamic pinout controlled by the Lightning port control chip in the Apple device, which negotiates with a security chip in the cable. (Nyan Satan’s research into the Lightning port provides a good baseline for understanding the communication between any accessory and the Apple device).
ย
The female Lightning port control chip is codenamed Hydra (this is a newer version that replaced the chip codenamed Tristar), and has the label CBTL1614A1 on the iPhone 12, according to a teardown by iFixit, which identifies it as a multiplexer. Apple guards details on these chips, but some data sheets have leaked in the past, revealing some expected functions. HiFive is the codename of the security chip in the cable, labeled as SN2025 or BQ2025 in male connectors. These chips are only available to MFi-certified manufacturers, but Apple only knows the internal behavior to prevent counterfeits. We will focus on the HiFive chip since we found replica versions in our Baets adapters.
ย
The HiFive chip identifies the cable and negotiates for power through the Texas Instruments SDQ protocol, where Apple’s specific implementation is referred to as IDBUS. Our research utilized the SDQAnalyzer plugin for the Saleae Logic Analyzer. The negotiations include identifying information from the accessory and the Apple device. Still, every individual accessory contains unique information that makes it difficult to reverse engineer and counterfeit without being detected.
ย
Replicating the communication of a single, legitimate Apple accessory is enough to draw power. This means that every knockoff chip from the same model identifies itself as the same individual accessory or cable to the Apple device (with the same serial number or unique data as the single cloned cable’s HiFive chip). As a result, an iOS update can block this handshake and break all the devices using the same knockoff chip that shares a single serial number. This may explain why some cheap charging cables and accessories mysteriously stop working or produce error/unlicensed warnings when plugged in. The owner of the legitimate cloned cable may also be out of luck, but the impact would be limited to that individual.
In 2016, electronupdate decapped an earlier version of these third-party chips and revealed a much simpler die than you’ll find in the legitimate TI BQ2025 chip used in authentic lightning cables.
ย
Decapped third-party chip
http://electronupdate.blogspot.com/2016/09/3rd-party-apple-lightning.htmlย
ย
Authentic TI BQ2025 chip decapped
Credit: 9to5mac.com
Many chips advertise the ability to negotiate power through the Lightning port. Knockoff manufacturers continue to create many variations as old versions stop working. One of our Baets devices uses an unknown chip labeled “24.” The others use the MT821B and 821B, which all share the same accessory serial number. Online posts referencing variations of uncertified power negotiating chips include the CY262, AD139, and ASB260, to name a few. It’s unknown if any of these chips or adapters come from the same manufacturers.
ย
Each chip receives the 2.65V signal from the ACC_ID line and outputs 1.9V to one of the data lines.
ย
Removing the constant high signal from the data line does not affect the negotiation but is necessary for keeping power to the device when the screen is off. Setting the data line consistently high at 1.9V turns on the screen. Some of our adapters do not support sending over the data line in both orientations, so the Bluetooth module turns off when the Apple device stops supplying power when it turns its screen off.
Communication is half-duplex bidirectional, using the SDQ protocol. Like the 1-Wire protocol, the host and adapter communicate over the ACC_ID line only. The female Lightning port repeatedly sends requests for connected accessories to identify themselves. It alternates the pins of the request to determine the accessory orientation.
After receiving the request, the chip must first identify itself with the Hydra chip. In this proprietary protocol, if the first byte is even, it is a request, and the request ID + 1 is the response code. The initial request for identification has ID 0x74 and the response is Request ID + 1 (0x75). Not all the types of requests are known, but a list of known commands has been created by @spbdimka.
ย
Incomplete List of IDBUS Request Types
https://twitter.com/spbdimka/status/1118597972760125440ย
ย
We observed many of these codes during our investigation. Others are not listed explicitly by @spbdimka but can be inferred since each response is just an incremented code of the request. The encoding of the data is unknown, but we can get a general idea of the process necessary to request power from the device. The adapter responds to these requests with incremented response codes, as expected. The negotiation from that adapter is shown below:
Request/Response Type | Request/ Response Code |
Data | CRC8 |
Get ID | 74 | 00 02 | 1F |
Parse Get ID | 75 | 11 F0 00 00 00 00 | D6 |
Get Module State | 72 | ย | 71 |
Parse Module State | 73 | 80 00 C0 00 | 87 |
Get Module State | 70 | 80 00 | 12 |
Parse Module State | 71 | ย | 93 |
Get Interface Info | 76 | ย | 10 |
Get Interface Info | 76 | ย | 10 |
Parse Interface Info | 77 | 01 25 01 80 A0 6A 8D 25 26 66 | 2E |
Get Module Serial | 78 | ย | 0F |
Parse Module Serial | 79 | 44 57 48 32 33 38 37 34 57 32 44 46 35 4C 34 41 39 00 BB 88 | 0E |
Get Accessory Serial | 7A | ย | B3 |
Parse Accessory Serial | 7B | 43 30 38 32 34 32 36 30 4B 37 4C 44 59 37 51 41 51 00 30 00 | CC |
Extract System Info | 84 | 00 00 05 4D 51 44 54 32 | FD |
Extract System Info | 84 | 01 00 06 31 39 45 32 35 38 | 49 |
After the 0x76 request receives a response, the ACC_PWR line goes high at either 3.3V or 4.1V. If output is 4.1V, then it will eventually correct down to 3.3V.ย
This powers on the Bluetooth module, which will result in the pop-up window appearing on the device, prompting the user to connect. The ID of the adapter that is responding is 0x11F000000000. While it matches the same pattern of other accessories and cables, it does not match authentic Lightning to headphone jack adapters that have ID 0x04F100000000. The Baets adapters do not use the legitimate identifier, likely due to the fact that legitimate adapters directly convert audio signals and need more functionality than the knock-off versions, which only need to draw 3.3V from the accessory power line.
The Module and Accessory Serial Numbers are sent in plain ASCII format, but it is unknown if they correspond to the same accessory. The messages include additional information for an unknown purpose.
ย
Command |
Value |
ASCII Representation |
Unknown |
CRC8 |
79 |
44 57 48 32 33 38 37 34 57 32 44 46 35 4C 34 41 39 |
DWH23874W2DF5L4A9 |
00 BB 88 |
0E |
7B |
43 30 38 32 34 32 36 30 4B 37 4C 44 59 37 51 41 51 |
C0824260K7LDY7QAQ |
00 30 00 |
CC |
ย
The last two commands are the Apple Deviceโs Model Number and Software Version in ASCII with the following format:
ย
Command |
Model/Software Version |
Unknown |
Value |
ASCII Representation |
CRC8 |
84 |
00 (Model Number) |
00 05 |
4D 51 44 54 32 |
MQDT2 (iPad) |
FD |
84 |
01 (Software Version) |
00 06 |
31 39 45 32 35 38 |
19E258 (iOS 15.4.1) |
49 |
ย
Changing the device and the iOS version we used to test resulted in different values for the Model Number and Software Version, as would be expected.
Other research, including Handoff All Your Privacy and Discontinued Privacy, has highlighted Appleโs use of Bluetooth Low Energy (BLE)ย to enable Continuity features such as AirDrop, AirPrint, and Handoff. It is also used for Proximity Pairing with AirPods and other Bluetooth headphones made by Apple. We found that it was possible to duplicate the behavior to show the prompt on any nearby Apple devices. Pressing โConnectโ will pair with a Bluetooth device of our choosing while itโs posing as any model of Apple wireless headphones.
ย
Pop-Up Window to connect AirPods
When Bluetooth is on, Apple devices send and receive BLE messages in the background. New research from the Technical University of Darmstadt in Germany highlights that these BLE advertisements continue when iPhones are turned off. These messages are receivable by any nearby BLE devices, even if they are intended for communication with paired devices. iPhones and iPads are the most active, constantly advertising their status, including whether they are locked, unlocked, driving, playing music, watching a video, and making or receiving a call. Bluetooth headphones (e.g., AirPods, Beats) also advertise their status and battery level. Apple Watches use BLE to communicate connectivity to a paired iPhone.
ย
There is a lot of other data that Apple devices are freely advertising over the air using BLE. The BLE advertising packets are well documented and used by many popular devices and phones similar to the Apple Continuity protocols. Appleโs format is known from prior research:
ย
Structure of a BLE advertisement packetย
Celosia, G., & Cunche, M. (2020)
ย
The Manufacturer Specific Data includes the length of the data, the Apple company identifier (0x004C), and then the Continuity Message that is different for each respective Continuity protocol. We focused on the Continuity Message for the Proximity Pairing feature for this research. It has been previously documented as having only this format:
Proximity Pairing (AirPods)
Celosia, G., & Cunche, M. (2020)
ย
However, when another device receives this advertisement from very close range, it recognizes that it is near someone elseโs AirPods and alerts the user.
ย
We found that an additional format is implemented for headphones ready to pair with a new device. The different setting is denoted by setting the third byte to 0x00. This format is shown below with an example of data we observed from the adapters:
ย
0x07 |
Length |
0x00 (Pairing Mode) |
Device Model |
Bluetooth Address |
Unknown |
1 Byte |
1 Byte |
1 Byte |
2 Bytes |
6 Bytes |
1 Byte |
Right Battery |
Left Battery |
Case Battery |
Unique Tag |
Color |
1 Byte |
1 Byte |
1 Byte |
1 Byte |
1 Byte |
Advertising data from Baets Adapter:
ย
0x07 |
0x0F |
0x00 |
0x0520 |
0x414209D43151 |
0x95 |
Proximity Pairing |
Length |
Pairing Mode |
Device Model (BeatsX) |
Bluetooth Address (41:42:09:D4:31:51) |
Unknown |
0x64 |
0x64 |
0x64 |
0x02 |
0x00 |
Right Battery (100%) |
Left Battery (100%) |
Case Battery (100%) |
Unique Tag |
Color (White) |
The Bluetooth Address specifies the address of any device to pair with using Bluetooth Classic. This does not have to be the adapter itself. Once paired, the adapter will stop broadcasting over BLE and maintain the Bluetooth Classic connection. The device model specifies which image and name appear on the connect screen. All the adapters we investigated used the device model 0x0520 to appear as BeatsX earphones. Other possible device models were checked using scripts modified from Hexwayโs Apple BLEEE project, resulting in the following, likely incomplete list:
ย
Hex Value |
Device Model |
0220 |
Airpods |
0320 |
PowerBeats3 |
0520 |
BeatsX |
0620 |
Beats Solo3 |
0920 |
Beats Studio3 |
0A20 |
Airpods Max |
0B20 |
Powerbeats Pro |
0C20 |
Beats Solo Pro |
0D20 |
Powerbeats |
0E20 |
Airpods Pro |
0F20 |
Airpods |
1020 |
Beats Flex |
1120 |
Beats Studio Buds |
We only tested these ranges of codes, so there are likely other possible values. Any unknown device model results in a screen prompting the device to check for a software update. There is an option to check for updates or setup.
ย
ย โSet up with limited functionality.โ
with unknown device model, where โRingRingโ is a cell phone
(not headphones)
ย
Changing the unknown field does affect whether the dialog will pop up at all, if it will pop up and disappear immediately, or if it stays on the screen as normal. In addition, some values will not result in a pop-up window appearing, depending on the device model advertised. The real purpose of this field is unknown and requires further testing.
Typically, if the pop-up window is closed, then another will not appear until the user turns their screen off and on again. However, if the unique tag field is changed randomly, the pop-up will occur about every 5 seconds after the user closes the previous window. This effectively prevents nearby users from using their devices because they must constantly close these windows. Other purposes for this field may exist but are not known at this time.
The Bluetooth modules found in the adapters implement the Proximity Pairing format for advertising through BLE. These modules are meant to replicate Appleโs W1 or H1 Bluetooth chip that is used in their Bluetooth headphones. The manufacturers of these counterfeit chips advertise the functionality for use in cheap Bluetooth headphones to make the pairing process more seamless. These chips can also use the Proximity Pairing packet format to advise the iPhone of the headphonesโ battery level.
Promotional presentation/document for YC1168 Bluetooth chip
with pop-up window functionality.
Source: https://zhuanlan.zhihu.com/p/111406089ย
ย
As a result, these chips are becoming widely used in fake AirPods or Beats headphones, making it more difficult to identify counterfeits. In order to verify legitimate headphones, the user must either check the serial number directly with Apple or recognize the differences in quality, which may be difficult without prior experience. Our bodega Baets adapters came in boxes that looked nearly identical to the Apple version, but without the Apple logo.
The use of chips to negotiate drawing power from the device presents a number of risks. Allowing unlicensed devices to connect directly to the hardware presents some threats to Appleโs business model, but even more importantly to the consumer, as it may cause damage to the Apple device. There is no protection circuitry in the adapter that protects the Apple device if the adapter somehow sends too much voltage or current back through the Lightning port. We have observed quick battery drain, but these adapters may also damage the Apple device, which has been shown to happen when using unlicensed charging cables.
ย
The ability to make a window pop-up on the device to connect to an unknown device is also a risk. Some Bluetooth devices, like the AirPods Pro, have the capability of using Siri and can then read and send messages, make and receive calls, read contacts, and have other functions that present a security risk. You would not want to let an arbitrary Bluetooth device belonging to someone else access your text messages.
ย
Dialogue shown after connecting Bluetooth device disguised as AirPods Pro
ย
The only way to turn off Proximity Pairing and prevent these dialogs is to turn off Bluetooth entirely. Once the dialog appears, the only way to close it is to press the small โXโ button. Clicking around the dialog does not get rid of the pop-up window. During testing, if the Apple device tries connecting to the Bluetooth address of headphones that are connected to another device, it will disconnect them. This makes it possible to create a string of events that would make an attack more likely to succeed.ย
ย
So, if you see an endless stream of random pairing requests on your Apple device, now you know your sole option:
ย
Turn off Bluetooth and keep it off.ย
– By Jared Gonzales and Joel Cretan
Want to learn how the hardware around you works? Come work with us!ย
Shoutout to RBS alum Trey Keown for the title of this blog post.
To learn more about Red Balloon Security‘s offers, visit ourย Products page or contact us: [email protected]
Contact us now to discover more about Red Balloon Security’s range of solutions and services or to arrange a demonstration.
Reach out to learn more about our embedded security offering and to schedule a demo.
Reach out to learn more about our embedded security offering and to schedule a demo.
Reach out to learn more about our embedded security offering and to schedule a demo.
Reach out to learn more about our embedded security offering and to schedule a demo.