Baets by Der

Baets by Der

Friendly advice from Red Balloon Security: Just pay the extra $2

Recently, we wanted to use some wired headphones with an iPhone, which sadly lacks a headphone jack. The nearest deli offered a solution: a Lightning-to-headphone jack adapter for only $7. Got to love your local NYC bodega. 

 

But a wrinkle appeared: Plugging in the adapter made the phone pop up a dialog to pair with a BeatsX device, which changed to “Baets” once a Bluetooth connection was established. Shouldn’t this thing be a simple DAC? Why is Bluetooth involved? What makes the iPhone think it’s from Beats? That’s too many questions to ignore: We had to dig into this unexpected embedded device.
  

And here’s the short-take of our analysis: Beware the transposed vowels: “Baets” is not what it would want you to believe it is. 

Once connected, the headphones work as if directly plugged into the phone. But we found that Bluetooth must remain on to keep listening, and the phone insists it is connected to a Bluetooth device, called “Baets.” We also noticed the phone’s battery draining much faster than usual.
 

This mysterious behavior piqued our interest. Red Balloon specializes in embedded security and reverse engineering, so interest gave way to action. We promptly bought a dozen more of the same adapter model to tear down and study.

Table of Contents

MFi is MIA

The first thing we noted is none of these adapters had  does not have the Apple MFi chip you’ll find in genuine, approved accessories and cables. Apple licenses that chip to control who is allowed to produce Lightning devices. Instead, each of these knock-off this adapters draws power from the Apple device to power its own Bluetooth module. Thesis module then broadcasts that it is ready to pair with the Apple device, though in fact any nearby device can now pair with it and play audio. 

Presumably, using Bluetooth is cheaper than licensing Apple’s chip, which is why the knockoffs costs $2 less than the genuine Apple version.

This initial finding fueled two research objectives: 1) To discover how the adapter convinced the Apple device to power the module; and 2) to discover how the adapter displayed the pop-up window.

How does it receive power?

We encountered three different hardware configurations on these devices; they appear to have many similarities, but it’s unclear if the same manufacturer makes them. One of the variations does not work: It doesn’t appear to power up, generates no pop-ups, and has no Bluetooth Classic connection. But this variation successfully draws power from the Apple device, so the failure is likely in the circuit or Bluetooth chip. 

Overall, the hardware is not very complex and lacks components seen in a genuine adapter, including protection circuitry.


First working counterfeit: Lightning to headphone jack

Second working counterfeit: Lightning to headphone jack

Third counterfeit: Lightning to  headphone jack (non-functional, not working)
 
Legitimate Apple adapter. Credit: iFixit


One side of the PCB is the Bluetooth chip and antenna on the active adapters. On the other side is a crystal oscillator clock, which connects to the Bluetooth chip. The chip connects to the accessory power (ACC_PWR) pin of the Lightning connector but does not automatically receive power. The final chip negotiates with the Apple device to draw power through the Lightning port. This negotiation chip is vital to enabling power for the Bluetooth module. 

Lightning Connector pinout according to patent filing:
https://web.archive.org/web/20190801205452/http://ramtin-amin.fr/tristar.html 

 

In Lightning connectors, the pins on each side of the connector do not mirror each other, so the control chip must identify the orientation of the connector before proceeding. In addition, the Lightning connector has a dynamic pinout controlled by the Lightning port control chip in the Apple device, which negotiates with a security chip in the cable.

(Prior research on the Lightning port has been done by Nyan Satan’s research into the Lightning port provides a good baseline for understanding to better understand the communication between any accessory and the Apple device). 

Tristar or Hydra is the codename of the female Lightning port control chip, with the label CBTL1614A1 on the iPhone 12, according to a teardown by iFixit, which identifies it as a multiplexer. Apple guards details on these chips, but some data sheets have leaked in the past, revealing some expected functions. HiFive is the codename of the security chip in the cable, labeled as SN2025 or BQ2025 in male connectors. These chips are only available to MFi- certified manufacturers, but Apple only knows the internal behavior to prevent counterfeits. We will focus on the HiFive chip since we found replica versions in our Baets adapters.

The HiFive chip identifies the cable and negotiates for power through the Texas Instruments SDQ protocol, where Apple’s specific implementation is referred to as IDBUS. Our research utilized the SDQAnalyzer plugin for the Saleae Logic Analyzer. The negotiations include identifying information from the accessory and the Apple device. Still, every individual accessory contains unique information that makes it difficult to reverse engineer and counterfeit without being detected.

Replicating the communication of a single, legitimate Apple accessory is enough to draw power. This means that every knockoff chip from the same model identifies itself as the same individual accessory or cable to the Apple device (with the same serial number or unique data as the single cloned cable’s HiFive chip). As a result, an iOS update can block this handshake and break all the devices using the same knockoff chip that shares a single serial number. This may explain why some cheap charging cables and accessories mysteriously stop working or produce error/unlicensed warnings when plugged in. The owner of the legitimate cloned cable may also be out of luck, but the impact would be limited to that individual.


In 2016,
electronupdate decapped an earlier version of these third-party chips and revealed a much simpler die than you’ll find in the legitimate TI BQ2025 chip used in authentic lightning cables.

Decapped third-party chip
http://electronupdate.blogspot.com/2016/09/3rd-party-apple-lightning.html 

Authentic TI BQ2025 chip decapped
Credit:
9to5mac.com


Many chips advertise the ability to negotiate power through the Lightning port. Knockoff manufacturers continue to create many variations as old versions stop working. One of our Baets devices uses an unknown chip labeled “24.”. The others use the MT821B and 821B, which all share the same accessory serial number. Online posts referencing reference other variations of uncertified power negotiating chips include the
CY262, AD139, and ASB260, to name a few. It’s unknown if any of these chips or adapters come from the same manufacturers.

Each chip receives the 2.65V signal from the ACC_ID line and outputs 1.9V to one of the data lines.

Removing the constant high signal from the data line does not affect the negotiation but is necessary for keeping power to the device when the screen is off. Setting the data line consistently high at 1.9V turns on the screen. Some of our adapters do not support sending over the data line in both orientations, so the Bluetooth module turns off when the Apple device stops supplying power when it turns its screen off.


Communication is half-duplex bidirectional, using the SDQ protocol. Like the
1-Wire protocol, the host and adapter communicate over the ACC_ID line only. The female Lightning port repeatedly sends requests for connected accessories to identify themselves. It alternates the pins of the request to determine the accessory orientation.

After receiving the request, the chip must first identify itself with the Hydra chip. In this proprietary protocol, if the first byte is even, it is a request, and the request ID + 1 is the response code. The initial request for identification has ID 0x74 and the response is Request ID + 1 (0x75). Not all the types of requests are known, but a list of known commands has been created by @spbdimka.

Incomplete List of IDBUS Request Types
https://twitter.com/spbdimka/status/1118597972760125440 

 

We observed many of these codes during our investigation. Others are not listed explicitly by @spbdimka but can be inferred since each response is just an incremented code of the request. The encoding of the data is unknown, but we can get a general idea of the process necessary to request power from the device. The adapter responds to these requests with incremented response codes, as expected. The negotiation from that adapter is shown below:

After the 0x76 request receives a response, the ACC_PWR line goes high at either 3.3V or 4.1V. If output is 4.1V, then it will eventually correct down to 3.3V. 

This powers on the Bluetooth module, which will result in the pop-up window appearing on the device, prompting the user to connect. The ID of the adapter that is responding is 0x11F000000000. While it matches the same pattern of other accessories and cables, it does not match authentic Lightning to headphone jack adapters that have ID 0x04F100000000. The Baets adapters do not use the legitimate identifier, likely due to the fact that legitimate adapters directly convert audio signals and need more functionality than the knock-off versions, which only need to draw 3.3V from the accessory power line.

The Module and Accessory Serial Numbers are sent in plain ASCII format, but it is unknown if they correspond to the same accessory. The messages include additional information for an unknown purpose.

 

The last two commands are the Apple Device’s Model Number and Software Version in ASCII with the following format

Changing the device and the iOS version we used to test resulted in different values for the Model Number and Software Version, as would be expected.

How does it activate the pop-up window?

Other research, including Handoff All Your Privacy and Discontinued Privacy, has highlighted Apple’s use of Bluetooth Low Energy to enable Continuity features such as AirDrop, AirPrint, and Handoff. It is also used for Proximity Pairing with AirPods and other Bluetooth headphones made by Apple. We found that it was possible to duplicate the behavior to show the prompt on any nearby Apple devices. Pressing ‘Connect’ will pair with a Bluetooth device of our choosing while it’s posing as any model of Apple wireless headphones.

 

Pop-Up Window to connect AirPods


When Bluetooth is on, Apple devices send and receive BLE messages in the background.
New research from the Technical University of Darmstadt in Germany highlights that these BLE advertisements continue when iPhones are turned off. These messages are receivable by any nearby Bluetooth Low Energy devices, even if they are intended for communication with paired devices. iPhones and iPads are the most active, constantly advertising their status, including whether they are locked, unlocked, driving, playing music, watching a video, and making or receiving a call. Bluetooth headphones (e.g., AirPods, Beats) also advertise their status and battery level. Apple Watches use BLE to communicate their connectivity to a paired iPhone.

 

There is a lot of other data that Apple devices are freely advertising over the air using BLE. The BLE advertising packets are well documented and used by many popular devices and phones similar to the Apple Continuity protocols. Apple’s format is known from prior research:

 

Structure of a BLE advertisement packet 

Celosia, G., & Cunche, M. (2020)

 

The Manufacturer Specific Data includes the length of the data, the Apple company identifier (0x004C), and then the Continuity Message that is different for each respective Continuity protocol. We focused on the Continuity Message for the Proximity Pairing feature for this research. It has been previously documented as having only this format:


Proximity Pairing (AirPods)

Celosia, G., & Cunche, M. (2020)

 

However, when another device receives this advertisement from very close range, it recognizes that it is near someone else’s AirPods and alerts the user.

 


We found that an additional format is implemented for headphones ready to pair with a new device. The different setting is denoted by setting the third byte to 0x00. This format is shown below with an example of data we observed from the adapters:

 

0x07

Length

0x00 (Pairing Mode)

Device Model

Bluetooth Address

Unknown

1 Byte

1 Byte

1 Byte

2 Bytes

6 Bytes

1 Byte

Right Battery

Left Battery

Case Battery

Unique Tag

Color

1 Byte

1 Byte

1 Byte

1 Byte

1 Byte


Advertising Data from Baets Adapter:

 

0x07

0x0F

0x00

0x0520

0x414209D43151

0x95

Proximity Pairing

Length

Pairing Mode

Device Model

(BeatsX)

Bluetooth Address

(41:42:09:D4:31:51)

Unknown

0x64

0x64

0x64

0x02

0x00

Right Battery (100%)

Left Battery

(100%)

Case Battery

(100%)

Unique Tag

Color

(White)


The Bluetooth Address specifies the address of any device to pair with using Bluetooth Classic. This does not have to be the adapter itself. Once paired, the adapter will stop broadcasting over BLE and maintain the Bluetooth Classic connection. The device model specifies which image and name appear on the connect screen. All the adapters we investigated used the device model 0x0520 to appear as BeatsX earphones. Other possible device models were checked using scripts modified from
Hexway’s Apple BLEEE project, resulting in the following, likely incomplete list:

 

Hex Value

Device Model

0220

Airpods

0320

PowerBeats3

0520

BeatsX

0620

Beats Solo3

0920

Beats Studio3

0A20

Airpods Max

0B20

Powerbeats Pro

0C20

Beats Solo Pro

0D20

Powerbeats

0E20

Airpods Pro

0F20

Airpods

1020

Beats Flex

1120

Beats Studio Buds


We only tested these ranges of codes, so there are likely other possible values. Any unknown device model results in a screen prompting the device to check for a software update. There is an option to check for updates or setup with limited functionality which connects the same. 




 “Set up with limited functionality.”
with unknown device model, where “RingRing” is a cell phone
(not headphones)

 

Changing the unknown field does affect whether the dialog will pop -up at all, if it will pop -up and disappear immediately, or if it stays on the screen as normal. In addition, some values will not result in a pop-up window appearing, depending on the device model advertised. The real purpose of this field is unknown and requires further testing.


Typically, if the pop-up window is closed, then another will not appear until the user turns their screen off and on again. However, if the unique tag field is changed randomly, the pop-up will occur about every 5 seconds after the user closes the previous window. This effectively prevents nearby users from using their devices because they must constantly close these windows. Other purposes for this field may exist but are not known at this time.

The Bluetooth modules found in the adapters implement the Proximity Pairing format for advertising through BLE. These modules are meant to replicate Apple’s W1 or H1 Bluetooth chip that is used in their Bluetooth headphones. The manufacturers of these counterfeit chips advertise the functionality for use in cheap Bluetooth headphones to make the pairing process more seamless. These chips can also use the Proximity Pairing packet format to advise the iPhone of the headphones’ battery level.

Promotional presentation/document for YC1168 Bluetooth chip
with pop-up window functionality.

Source: https://zhuanlan.zhihu.com/p/111406089 

 

As a result, these chips are becoming widely used in fake AirPods or Beats headphones, making it more difficult to identify counterfeits. In order to verify legitimate headphones, the user must either check the serial number directly with Apple or recognize the differences in quality, which may be difficult without prior experience. Our bodega Baets adapters came in boxes that looked nearly identical to the Apple version, but without the Apple logo.

Summary of Risks

The use of chips to negotiate drawing power from the device presents a number a series of risks. Allowing unlicensed devices to connect directly to the hardware presents some threats to Apple’s business model, but even more importantly to its customersthe consumer, as it may cause damage to the Apple device. There is no protection circuitry in the adapter that protects the Apple device if the adapter somehow sends too much voltage or current back through the Lightning port. We have observed quick battery drain, but these adapters may also damage the Apple device which has been shown to happen when using unlicensed charging cables.

The ability to make a window pop-up on the device to connect to an unknown device is also a risk. Some Bluetooth devices, like the AirPods Pro, have the capability of using Siri and can then read and send messages, make and receive calls, read contacts, and have other functions that present a security risk. You would not want to let an arbitrary Bluetooth device belonging to someone else access your text messages.

Dialogue shown after connecting Bluetooth device disguised as AirPods Pro

 

The only way to turn off Proximity Pairing and prevent these dialogs is to turn off Bluetooth entirely. Once the dialog appears, the only way to close it is to press the small ‘X’ button. Clicking around the dialog does not get rid of the pop-up window. During testing, if the Apple device tries connecting to the Bluetooth address of headphones that are connected to another device, it will disconnect them. This makes it possible to create a string of events that would make an attack more likely to succeed. 

 

So, if you see an endless stream of random pairing requests on your Apple device, now you know your sole option:

Turn off Bluetooth and keep it off. 


– By Jared Gonzales and Joel Cretan

Want to learn how the hardware around you works? Come work with us! 


Shoutout to RBS alum Trey Keown for the title of this blog post.

To learn more about Red Balloon Security‘s offers, visit our Products page or contact us: [email protected]

Friendly advice from Red Balloon Security: Just pay the extra $2

Recently, we wanted to use some wired headphones with an iPhone, which sadly lacks a headphone jack. The nearest deli offered a solution: a Lightning-to-headphone jack adapter for only $7. Got to love your local New York City bodega. 

 

But a wrinkle appeared: Plugging in the adapter made the phone pop up a dialog to pair with a BeatsX device, which changed to “Baets” once a Bluetooth connection was established. Shouldn’t this thing be a simple digital-to-analog converter? Why is Bluetooth involved? What makes the iPhone think it’s from Beats? That’s too many questions to ignore: We had to dig into this unexpected embedded device.

  

And here’s the short-take of our analysis: Beware the transposed vowels. “Baets” is not what it would want you to believe it is. 

Once connected, the headphones work as if directly plugged into the phone. But we found that Bluetooth must remain on to keep listening, and the phone insists it is connected to a Bluetooth device, called “Baets.” We also noticed the phone’s battery draining much faster than usual.
 

This mysterious behavior piqued our interest. Red Balloon specializes in embedded security and reverse engineering, so interest gave way to action. We promptly bought a dozen more of the same adapter model to tear down and study.

Table of Contents

MFi is MIA

The first thing we noted is none of these adapters has the Apple Made for iPhone/iPad (MFi) chip you’ll find in genuine, approved accessories and cables; Apple licenses that chip to control who is allowed to produce Lightning devices.

 

Instead, each of these knock-off adapters draws power from the Apple device to power its own Bluetooth module. This module then broadcasts that it is ready to pair with the Apple device, though in fact any nearby device can now pair with it and play audio. 

Presumably, using Bluetooth is cheaper than licensing Apple’s chip, which is why the knockoffs costs $2 less than the genuine Apple version.

 

This initial finding fueled two research objectives:  To discover how the adapter convinced the Apple device to power the module; and to discover how the adapter displayed the pop-up window.

How does it receive power?

We encountered three different hardware configurations on these devices; they appear to have many similarities, but it’s unclear if the same manufacturer makes them. One of the variations does not work: It doesn’t appear to power up, generates no pop-ups, and has no Bluetooth Classic connection. But this variation successfully draws power from the Apple device, so the failure is likely in the circuit or Bluetooth chip. 

 

Overall, the hardware is not very complex and lacks components seen in a genuine adapter, including protection circuitry.

 


First working counterfeit: Lightning to headphone jack



Second working counterfeit: Lightning to headphone jack



Third counterfeit: Lightning to  headphone jack (non-functional, not working)


 
Legitimate Apple adapter. Credit: iFixit


One side of the PCB is the Bluetooth chip and antenna on the active adapters. On the other side is a crystal oscillator clock, which connects to the Bluetooth chip. The chip connects to the accessory power (ACC_PWR) pin of the Lightning connector but does not automatically receive power. The final chip negotiates with the Apple device to draw power through the Lightning port. This negotiation chip is vital to enabling power for the Bluetooth module. 

 

Lightning Connector pinout according to patent filing:
https://web.archive.org/web/20190801205452/http://ramtin-amin.fr/tristar.html 

 

In Lightning connectors, the pins on each side of the connector do not mirror each other, so the control chip must identify the orientation of the connector before proceeding. In addition, the Lightning connector has a dynamic pinout controlled by the Lightning port control chip in the Apple device, which negotiates with a security chip in the cable. (Nyan Satan’s research into the Lightning port provides a good baseline for understanding the communication between any accessory and the Apple device).

 

The female Lightning port control chip is codenamed Hydra (this is a newer version that replaced the chip codenamed Tristar), and has the label CBTL1614A1 on the iPhone 12, according to a teardown by iFixit, which identifies it as a multiplexer. Apple guards details on these chips, but some data sheets have leaked in the past, revealing some expected functions. HiFive is the codename of the security chip in the cable, labeled as SN2025 or BQ2025 in male connectors. These chips are only available to MFi-certified manufacturers, but Apple only knows the internal behavior to prevent counterfeits. We will focus on the HiFive chip since we found replica versions in our Baets adapters.

 

The HiFive chip identifies the cable and negotiates for power through the Texas Instruments SDQ protocol, where Apple’s specific implementation is referred to as IDBUS. Our research utilized the SDQAnalyzer plugin for the Saleae Logic Analyzer. The negotiations include identifying information from the accessory and the Apple device. Still, every individual accessory contains unique information that makes it difficult to reverse engineer and counterfeit without being detected.

 

Replicating the communication of a single, legitimate Apple accessory is enough to draw power. This means that every knockoff chip from the same model identifies itself as the same individual accessory or cable to the Apple device (with the same serial number or unique data as the single cloned cable’s HiFive chip). As a result, an iOS update can block this handshake and break all the devices using the same knockoff chip that shares a single serial number. This may explain why some cheap charging cables and accessories mysteriously stop working or produce error/unlicensed warnings when plugged in. The owner of the legitimate cloned cable may also be out of luck, but the impact would be limited to that individual.


In 2016,
electronupdate decapped an earlier version of these third-party chips and revealed a much simpler die than you’ll find in the legitimate TI BQ2025 chip used in authentic lightning cables.

 

Decapped third-party chip
http://electronupdate.blogspot.com/2016/09/3rd-party-apple-lightning.html 

 

Authentic TI BQ2025 chip decapped
Credit:
9to5mac.com


Many chips advertise the ability to negotiate power through the Lightning port. Knockoff manufacturers continue to create many variations as old versions stop working. One of our Baets devices uses an unknown chip labeled “24.” The others use the MT821B and 821B, which all share the same accessory serial number. Online posts referencing variations of uncertified power negotiating chips include the
CY262, AD139, and ASB260, to name a few. It’s unknown if any of these chips or adapters come from the same manufacturers.

 

Each chip receives the 2.65V signal from the ACC_ID line and outputs 1.9V to one of the data lines.

 

Removing the constant high signal from the data line does not affect the negotiation but is necessary for keeping power to the device when the screen is off. Setting the data line consistently high at 1.9V turns on the screen. Some of our adapters do not support sending over the data line in both orientations, so the Bluetooth module turns off when the Apple device stops supplying power when it turns its screen off.


Communication is half-duplex bidirectional, using the SDQ protocol. Like the
1-Wire protocol, the host and adapter communicate over the ACC_ID line only. The female Lightning port repeatedly sends requests for connected accessories to identify themselves. It alternates the pins of the request to determine the accessory orientation.

After receiving the request, the chip must first identify itself with the Hydra chip. In this proprietary protocol, if the first byte is even, it is a request, and the request ID + 1 is the response code. The initial request for identification has ID 0x74 and the response is Request ID + 1 (0x75). Not all the types of requests are known, but a list of known commands has been created by @spbdimka.

 

Incomplete List of IDBUS Request Types
https://twitter.com/spbdimka/status/1118597972760125440 

 

We observed many of these codes during our investigation. Others are not listed explicitly by @spbdimka but can be inferred since each response is just an incremented code of the request. The encoding of the data is unknown, but we can get a general idea of the process necessary to request power from the device. The adapter responds to these requests with incremented response codes, as expected. The negotiation from that adapter is shown below:

Request/Response Type Request/
Response Code
Data CRC8
Get ID 74 00 02 1F
Parse Get ID 75 11 F0 00 00 00 00 D6
Get Module State 72   71
Parse Module State 73 80 00 C0 00 87
Get Module State 70 80 00 12
Parse Module State 71   93
Get Interface Info 76   10
Get Interface Info 76   10
Parse Interface Info 77 01 25 01 80 A0 6A 8D 25 26 66 2E
Get Module Serial 78   0F
Parse Module Serial 79 44 57 48 32 33 38 37 34 57 32 44 46 35 4C 34 41 39 00 BB 88 0E
Get Accessory Serial 7A   B3
Parse Accessory Serial 7B 43 30 38 32 34 32 36 30 4B 37 4C 44 59 37 51 41 51 00 30 00 CC
Extract System Info 84 00 00 05 4D 51 44 54 32 FD
Extract System Info 84 01 00 06 31 39 45 32 35 38 49

After the 0x76 request receives a response, the ACC_PWR line goes high at either 3.3V or 4.1V. If output is 4.1V, then it will eventually correct down to 3.3V. 

This powers on the Bluetooth module, which will result in the pop-up window appearing on the device, prompting the user to connect. The ID of the adapter that is responding is 0x11F000000000. While it matches the same pattern of other accessories and cables, it does not match authentic Lightning to headphone jack adapters that have ID 0x04F100000000. The Baets adapters do not use the legitimate identifier, likely due to the fact that legitimate adapters directly convert audio signals and need more functionality than the knock-off versions, which only need to draw 3.3V from the accessory power line.

The Module and Accessory Serial Numbers are sent in plain ASCII format, but it is unknown if they correspond to the same accessory. The messages include additional information for an unknown purpose.

 

Command

Value

ASCII Representation

Unknown

CRC8

79

44 57 48 32 33 38 37 34 57 32 44 46 35 4C 34 41 39

DWH23874W2DF5L4A9

00 BB 88

0E

7B

43 30 38 32 34 32 36 30 4B 37 4C 44 59 37 51 41 51

C0824260K7LDY7QAQ

00 30 00

CC

 

The last two commands are the Apple Device’s Model Number and Software Version in ASCII with the following format:

 

Command

Model/Software Version

Unknown

Value

ASCII Representation

CRC8

84

00 (Model Number)

00 05

4D 51 44 54 32

MQDT2 (iPad)

FD

84

01 (Software Version)

00 06

31 39 45 32 35 38

19E258 (iOS 15.4.1)

49

 

Changing the device and the iOS version we used to test resulted in different values for the Model Number and Software Version, as would be expected.

How does it activate the pop-up window?

Other research, including Handoff All Your Privacy and Discontinued Privacy, has highlighted Apple’s use of Bluetooth Low Energy (BLE)  to enable Continuity features such as AirDrop, AirPrint, and Handoff. It is also used for Proximity Pairing with AirPods and other Bluetooth headphones made by Apple. We found that it was possible to duplicate the behavior to show the prompt on any nearby Apple devices. Pressing ‘Connect’ will pair with a Bluetooth device of our choosing while it’s posing as any model of Apple wireless headphones.

 

Pop-Up Window to connect AirPods


When Bluetooth is on, Apple devices send and receive BLE messages in the background.
New research from the Technical University of Darmstadt in Germany highlights that these BLE advertisements continue when iPhones are turned off. These messages are receivable by any nearby BLE devices, even if they are intended for communication with paired devices. iPhones and iPads are the most active, constantly advertising their status, including whether they are locked, unlocked, driving, playing music, watching a video, and making or receiving a call. Bluetooth headphones (e.g., AirPods, Beats) also advertise their status and battery level. Apple Watches use BLE to communicate connectivity to a paired iPhone.

 

There is a lot of other data that Apple devices are freely advertising over the air using BLE. The BLE advertising packets are well documented and used by many popular devices and phones similar to the Apple Continuity protocols. Apple’s format is known from prior research:

 

Structure of a BLE advertisement packet 

Celosia, G., & Cunche, M. (2020)

 

The Manufacturer Specific Data includes the length of the data, the Apple company identifier (0x004C), and then the Continuity Message that is different for each respective Continuity protocol. We focused on the Continuity Message for the Proximity Pairing feature for this research. It has been previously documented as having only this format:


Proximity Pairing (AirPods)

Celosia, G., & Cunche, M. (2020)

 

However, when another device receives this advertisement from very close range, it recognizes that it is near someone else’s AirPods and alerts the user.

 


We found that an additional format is implemented for headphones ready to pair with a new device. The different setting is denoted by setting the third byte to 0x00. This format is shown below with an example of data we observed from the adapters:

 

0x07

Length

0x00 (Pairing Mode)

Device Model

Bluetooth Address

Unknown

1 Byte

1 Byte

1 Byte

2 Bytes

6 Bytes

1 Byte

Right Battery

Left Battery

Case Battery

Unique Tag

Color

1 Byte

1 Byte

1 Byte

1 Byte

1 Byte


Advertising data from Baets Adapter:

 

0x07

0x0F

0x00

0x0520

0x414209D43151

0x95

Proximity Pairing

Length

Pairing Mode

Device Model

(BeatsX)

Bluetooth Address

(41:42:09:D4:31:51)

Unknown

0x64

0x64

0x64

0x02

0x00

Right Battery (100%)

Left Battery

(100%)

Case Battery

(100%)

Unique Tag

Color

(White)


The Bluetooth Address specifies the address of any device to pair with using Bluetooth Classic. This does not have to be the adapter itself. Once paired, the adapter will stop broadcasting over BLE and maintain the Bluetooth Classic connection. The device model specifies which image and name appear on the connect screen. All the adapters we investigated used the device model 0x0520 to appear as BeatsX earphones. Other possible device models were checked using scripts modified from
Hexway’s Apple BLEEE project, resulting in the following, likely incomplete list:

 

Hex Value

Device Model

0220

Airpods

0320

PowerBeats3

0520

BeatsX

0620

Beats Solo3

0920

Beats Studio3

0A20

Airpods Max

0B20

Powerbeats Pro

0C20

Beats Solo Pro

0D20

Powerbeats

0E20

Airpods Pro

0F20

Airpods

1020

Beats Flex

1120

Beats Studio Buds


We only tested these ranges of codes, so there are likely other possible values. Any unknown device model results in a screen prompting the device to check for a software update. There is an option to check for updates or setup.

 



 “Set up with limited functionality.”
with unknown device model, where “RingRing” is a cell phone
(not headphones)

 

Changing the unknown field does affect whether the dialog will pop up at all, if it will pop up and disappear immediately, or if it stays on the screen as normal. In addition, some values will not result in a pop-up window appearing, depending on the device model advertised. The real purpose of this field is unknown and requires further testing.


Typically, if the pop-up window is closed, then another will not appear until the user turns their screen off and on again. However, if the unique tag field is changed randomly, the pop-up will occur about every 5 seconds after the user closes the previous window. This effectively prevents nearby users from using their devices because they must constantly close these windows. Other purposes for this field may exist but are not known at this time.

The Bluetooth modules found in the adapters implement the Proximity Pairing format for advertising through BLE. These modules are meant to replicate Apple’s W1 or H1 Bluetooth chip that is used in their Bluetooth headphones. The manufacturers of these counterfeit chips advertise the functionality for use in cheap Bluetooth headphones to make the pairing process more seamless. These chips can also use the Proximity Pairing packet format to advise the iPhone of the headphones’ battery level.

Promotional presentation/document for YC1168 Bluetooth chip
with pop-up window functionality.

Source: https://zhuanlan.zhihu.com/p/111406089 

 

As a result, these chips are becoming widely used in fake AirPods or Beats headphones, making it more difficult to identify counterfeits. In order to verify legitimate headphones, the user must either check the serial number directly with Apple or recognize the differences in quality, which may be difficult without prior experience. Our bodega Baets adapters came in boxes that looked nearly identical to the Apple version, but without the Apple logo.

Summary of Risks

The use of chips to negotiate drawing power from the device presents a number of risks. Allowing unlicensed devices to connect directly to the hardware presents some threats to Apple’s business model, but even more importantly to the consumer, as it may cause damage to the Apple device. There is no protection circuitry in the adapter that protects the Apple device if the adapter somehow sends too much voltage or current back through the Lightning port. We have observed quick battery drain, but these adapters may also damage the Apple device, which has been shown to happen when using unlicensed charging cables.

 

The ability to make a window pop-up on the device to connect to an unknown device is also a risk. Some Bluetooth devices, like the AirPods Pro, have the capability of using Siri and can then read and send messages, make and receive calls, read contacts, and have other functions that present a security risk. You would not want to let an arbitrary Bluetooth device belonging to someone else access your text messages.

 

Dialogue shown after connecting Bluetooth device disguised as AirPods Pro

 

The only way to turn off Proximity Pairing and prevent these dialogs is to turn off Bluetooth entirely. Once the dialog appears, the only way to close it is to press the small ‘X’ button. Clicking around the dialog does not get rid of the pop-up window. During testing, if the Apple device tries connecting to the Bluetooth address of headphones that are connected to another device, it will disconnect them. This makes it possible to create a string of events that would make an attack more likely to succeed. 

 

So, if you see an endless stream of random pairing requests on your Apple device, now you know your sole option:

 

Turn off Bluetooth and keep it off. 


– By Jared Gonzales and Joel Cretan

Want to learn how the hardware around you works? Come work with us! 


Shoutout to RBS alum Trey Keown for the title of this blog post.

To learn more about Red Balloon Security‘s offers, visit our Products page or contact us: [email protected]

LEVERAGE OUR EXPERTISE FOR YOUR SECURITY NEEDS

Reach out to learn more about our embedded security offering and to schedule a demo.

LEVERAGE OUR EXPERTISE FOR YOUR SECURITY NEEDS

Reach out to learn more about our embedded security offering and to schedule a demo.

LEVERAGE OUR EXPERTISE FOR YOUR SECURITY NEEDS

Reach out to learn more about our embedded security offering and to schedule a demo.

LEVERAGE OUR EXPERTISE FOR YOUR SECURITY NEEDS

Reach out to learn more about our embedded security offering and to schedule a demo.