Bluetooth communications are on the increase. Millions of users use the technology to connect to peripherals that simplify and provide greater comfort and experience.

There is a trick or hack for iOS 10.3.3 and earlier and iOS 11 beta 4 that takes advantage of the management of the profiles causing impact on the privacy of users who use Bluetooth technology daily.

From the iOS device information leak caused by the incorrect management of profiles, a lot of information about the user and their background may be obtained.




The Bluetooth connection of iPhones with peripherals such as speakers, headphones or sound equipment imply risk for the user's privacy as these elements could extract private information from the iPhone, without the user being aware of it.

The hack or trick puts users privacy at risk. The iOS configuration does not notify the profile change and allows the execution of the functions and actions associated with the new profile, so that the users' data are at risk of being stolen by a potential attacker.

What leaks in practice? Potentially

  • People to whom the user relates.
  • The user’s telephone number.
  • Companies with which the user relates.
  • The card owner's contact information.
  • The call history.
  • The physical addresses of people associated to the contacts card.

Systems proven

The models that can be used in the hack are:

  • iPhone 3G.
  • iPhone 3GS.
  • iPhone 4 / 4S.
  • iPhone 5 / 5S.
  • iPhone 6 / 6S / Plus 6 / Plus 6S.
  • iPhone 7 / Plus 7.

Currently, all iOS operating systems, compatible with the list of previous models, can be used with DirtyTooth trick. The current version of the operating system configuration in the release of this document is iOS 10.3.3 and iOS 11 beta 4.


Description

When the iOS system detects a Bluetooth signal, the user can visualize the device with which it wants to connect and a scenario like the following will be observed.




The speaker that appears in the Bluetooth discovery is announcing the A2DP profile, a profile to play audio via the Bluetooth connection. When the user clicks on it, the pairing is completed, with no need for a PIN in versions Bluetooth 2.1 or higher.





After a few seconds, the speaker Bluetooth can change its profile to a PBAP profile for example.

If this happens, iOS will perform the profile change without displaying any type of notification to the user.




Note the existence of a weakness or an accesibility configuration extra in iOS. When the profile change is carried out without notification, the synchronization of contacts is enabled by default, giving access to it. In other words, DirtyTooth is a trick or hack that can take advantage of this accesibility configuration.


The trick or hack can be extended to other profiles, as the operating system does not request authorization to change the profile. In the case of a MAP profile, in order to access the messages on the mobile device, a switch displays to synchronize messages, but in this case it is disabled by default, on the contrary to what happens in the case of the PBAP profile. In other words, the trick takes advantage of the lack of authorization to change profile and the default settings to synchronize elements on the device via the Bluetooth connection. It's a simply accesibility configuration potentially dangerous.

Q&A

What makes the DirtyTooth unique?

It's a easy hack for any user. It affects to privacy users.

What is being leaked?

  • People to whom the user relates.
  • The user’s telephone number.
  • Companies with which the user relates.
  • The card owner's contact information.
  • The call history.
  • The physical addresses of people associated to the contacts card.

Does it exist a paper?

Of course, In this URL: https://www.slideshare.net/elevenpaths/dirtytooth