Apple's MagicPairing for Bluetooth fails to enchant after mischief-making bugs found hiding in the stack

Known and yet still unfixed flaws lurk in proprietary device-linking tech

Apple's proprietary approach to securing Bluetooth peripherals, known as MagicPairing, has some benefits, but not magical enough to make vulnerabilities vanish.

Researchers from TU Darmstadt in Germany examined the MagicPairing protocol and found that its three implementations – in iOS, macOS, and RTKit – contain ten disclosed flaws between them that have yet to be addressed.

RTKit is the real-time operating system based on the RTKit framework and is used in Apple's AirPods 1, 2, and Pro, Siri Remote 2, Apple Pencil 2, and Smart Keyboard Folio. While not widely known, it's widely distributed, thanks to the popularity of Apple's AirPods, which account for more than half of the global wireless earbud market.

In a paper [PDF] entitled "MagicPairing: Apple’s Take on Securing Bluetooth Peripherals," Dennis Heinze, Jiska Classen, and Felix Rohrbach observe that Apple's MagicPairing protocol overcomes two shortcomings of Bluetooth device pairing: poor scalability and a security model that collapses if the permanent key – the Link Key or Long-Term Key – gets compromised.

Despite this, they say, Apple's implementation of MagicPairing still has problems, though not particularly serious ones.

"As MagicPairing is available prior to pairing and encryption, it poses a large zero-click wireless attack surface," the Bluetooth boffins state in their paper, slated for presentation at WiSec '20 in July.


Stuck inside with nothing to do? Apple fires out security fixes for iOS, macOS, wrist-puters... and something weird called iTunes for Windows


"We found that all implementations have different issues, including a lockout attack and a Denial of Service (DoS) causing 100 per cent CPU load. We identified these issues performing both, generic over-the-air testing and iOS in-process fuzzing."

When two Bluetooth devices connect, they generate a permanent key that gets used to protect device authenticity, message integrity, and message secrecy. It remains in place until the user manually deletes it, by unpairing the devices, and it is the source from which shorter-lived session keys are derived.

MagicPairing adds Apple's iCloud service into the equation. It generates fresh permanent keys based on user-specific iCloud keys every session, a security improvement over permanent keys that remain unchanged. It does so, the researches explain, using a symmetric ratcheting algorithm and authenticated encryption.

"The security goals of the MagicPairing protocol seem to be to provide authentication and a fresh shared key for each connection," the paper explains. "It uses a symmetric ratcheting algorithm and authenticated encryption to achieve these goals."

The researchers performed over-the-air fuzzing and in-process fuzzing using code called ToothPicker that they say they'll make available through their Bluetooth testing framework called InternalBlue.

They identified eight MagicPairing and two L2CAP vulnerabilities that can induce crashes, overload the CPU, and disassociate paired devices. The paper says that they were disclosed between October 30, 2019 and March 13, 2020, and have not yet been fixed. The PoC code was published on Sunday.

Apple MagicPairing Bluetooth bugs

Click to enlarge

In an email, Jiska Classen, a researcher with the TU Darmstadt's Secure Mobile Networking Lab (SEEMO) and co-author of the report, suggested that Apple's lack of action may be because Cupertino does not consider them to be particularly serious.

"In contrast, they will fix everything that is related to potential remote code execution very fast," she said.

The paper says that Apple's MagicPairing implementations in iOS and macOS contain a number of spelling mistakes in logging messages and, for macOS Bluetooth daemon bluetoothd, function names.

"As these mistakes vary with the stack, each stack was probably implemented by a different developer," the paper says. "While spelling mistakes are not directly related to flaws in an implementation, they leave the impression the code was not extensively reviewed, and development probably outsourced."

Apple did not respond to a request for comment.

Asked about the apparently low code quality, Classen said her colleague Dennis Heinze found the bugs using the ToothPicker tool he created.

Based on his findings I would assume that Apple did not fuzz large parts of their Bluetooth protocol stack," she said. "However, there are also parts that were well-tested. Probably this depends on the teams being responsible for certain protocols."

However, Classen allowed that for some protocols, open-source over-the-air testing tools exist and other security researchers may have already used them to scrutinize Apple's Bluetooth stacks.

"Overall, we were surprised that Apple did not fix the rather simple bugs that could be fixed by adding a few checks. However, we are also a bit ahead of the originally planned timeline, as the WiSec conference is virtual this year and authors were asked to pre-publish their papers," she explained.

"Nonetheless, we informed Apple about the changed timeline and they did not disallow publication. And as even the oldest bugs are not fixed, this probably does not have to do anything with the changed timeline." ®

Other stories you might like

  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading
  • Workday nearly doubles losses as waves of deals pushed back
    Figures disappoint analysts as SaaSy HR and finance application vendor navigates economic uncertainty

    HR and finance application vendor Workday's CEO, Aneel Bhusri, confirmed deal wins expected for the three-month period ending April 30 were being pushed back until later in 2022.

    The SaaS company boss was speaking as Workday recorded an operating loss of $72.8 million in its first quarter [PDF] of fiscal '23, nearly double the $38.3 million loss recorded for the same period a year earlier. Workday also saw revenue increase to $1.43 billion in the period, up 22 percent year-on-year.

    However, the company increased its revenue guidance for the full financial year. It said revenues would be between $5.537 billion and $5.557 billion, an increase of 22 percent on earlier estimates.

    Continue reading

Biting the hand that feeds IT © 1998–2022