Apple devices have an excellent Airdrop feature - it is made for sending data between devices. In this case, no setup or preliminary pairing of devices is required; everything works out of the box in two clicks. An add-on over Wi-Fi is used to transfer data, and therefore data is transferred at enormous speeds. At the same time, using some tricks, you can not only send files, but also find out the phone number of the person who is in the same subway car with you.
For the last year I have been using this function to make interesting acquaintances on the way to work, on public transport, and in public catering establishments. On average, I manage to make several new acquaintances per day, and sometimes I leave the subway in the company of a new person.
Under the cut I will tell you about all the persimmons.
RUVDS.COM is not responsible for repeating the actions described in this material.
How does AirDrop work?
AirDrop is a protocol for transferring files within a peer-to-peer network. It can work both over a regular local network and over the air between any Apple devices. We will analyze the last case, when two devices are not connected to a common network, but are simply nearby, for example, two people with phones are traveling in a subway car and are not connected to a common Wi-Fi.
The first stage of transmission via AirDrop is sending a BLE packet.
To initiate data transfer via AirDrop, the initiator’s phone sends a broadcast BLE packet, which contains hashed information about the iCloud account and phone number of the owner of the initiator’s devices, with a proposal to establish a connection via the AWDL protocol (Apple Wireless Direct Link), something like Wi-Fi Direct from the Android world. The structure of this BLE packet is very interesting, we will analyze it further.
On the recipient's side, AirDrop can be in three states:
- Off
- will not be detected at all - Only for contacts
- accept files only from contacts in your address book. In this case, the contact is considered to be the phone number or email to which the icloud account is linked. The same logic for linking accounts works here as with the iMessages messenger. - For everyone
- the phone will be visible to everyone
AirDrop privacy settings.
The default status is set to “For contacts”. Depending on your privacy settings, the phone will either continue to establish a connection via AWDL or simply ignore the BLE packet. If AirDrop is set to “for everyone”, then in the next step the devices will connect to each other via AWDL, create an IPv6 network between them, within which AirDrop will work as a regular application protocol using mDNS over the standard IP protocol.
For experiments, you can watch how AWDL works on a MacBook. All exchange over this protocol occurs through the awdl0
, which can be easily captured using Wireshark or tcpdump.
At this stage we know three entities:
Bluetooth LowEnergy (BLE) packet
- this packet contains data based on which the phone decides whether the initiator is in its contact list or not.
Apple Wireless Direct Link (AWDL)
is a proprietary replacement for Wi-Fi Direct from Apple; it is turned on if communication via BLE is successful.
AirDrop
is an application protocol that runs inside a regular IP network using mDNS, HTTP, etc. Can work within any Ethernet network.
AirdropAlerts.com
Status
Airdropalerts.com is the oldest airdrop platform of all the above. They started operating in November 2022 and receive stable traffic, about 9.5 thousand visits per month.
Functionality
The main page of the platform is a simple list of airdrop projects, which are divided into 3 categories - Active, Completed and Upcoming. The list contains only the names of the airdrops without any additional information that you might need, such as a project estimate or the estimated cost of the airdrops needed to complete the tasks.
The airdrops pages are very simple, include brief information about airdrop, as well as links to the White Paper and links to the project's social networking pages. It should be noted that there is also a tutorial on how to get free tokens, with links to airdrops forms and accounts to complete tasks.
The template is visually unattractive, and information about the project is quite sparse. You need to manually complete each required task.
airdrop rating
Airdropsalert.com allows users to rate airdrops, but the information is only visible after going to each airdrop page individually. Airdrops page information is sometimes linked to ICObench ratings, however not all airdrops are consistent.
Social Media Alerts
Airdropalerts.com promotes airdrops on its Telegram, Twitter, Facebook, Reddit and Youtube channels.
Brief Conclusion
Pros
: Airdrops are covered on several social media resources, including Youtube.
Cons
: Lack of additional information on the main page of the platform. Inconsistent and scant information about the project on the airdrops summary pages.
BLE packet structure
It may seem that this BLE packet flies only once from the initiator to the recipient, and then the exchange occurs only via AWDL.
In reality, an AWDL connection has a very short lifespan, only a few minutes or less. So, if the recipient of the file wants to respond to you, he will also act as an initiator and send a BLE packet. How does the phone on the receiving end understand whether the initiator's number/email is in its contact list or not? I was very surprised when I found out the answer: the initiator sends his number and email in the form of a sha256 hash
, but not entirely, but only the first 3 bytes.
Structure of a BLE packet from the AirDrop initiator. Using hashes from the phone number and email, the responder understands whether the initiator is in his contact list.
For example, if your Apple account (aka iCloud, aka iMessages) is linked to the number +79251234567, the hash from it will be calculated like this:
echo -n "+79251234567" |
07de58
for the phone number will fly away in the BLE packet This seems not enough, but often these three bytes are enough to find out the real phone number.
It is also important to remember that the AirDrop privacy setting does not affect the data in the BLE packet. The hash of the phone number will be contained in it, even if the “For everyone” setting is set. Also, a BLE packet with a hash of the phone number is sent when the Share window is opened and when the password for the Wi-Fi network is entered.
For a detailed analysis of the structure of BLE packets and possible attacks on it, read the Apple Bleee study and the Russian translation on Habré.
The Apple Bleee study published ready-made python scripts for automating data analysis in BLE packages. I highly recommend checking out the research and trying out the programs, there's a lot of interesting stuff out there.
Cocoricos.io
Status
The domain Cocoricos.io is 11 months old, but the airdrops list was only introduced on October 31st, 2022. Although this site is relatively new, it still deserves a mention due to its new features and user friendliness.
Functionality
The Cocoricos platform allows you to perform all tasks, including google forms, directly through the platform. You can do this manually or speed up the process by linking your accounts to your Cocoricos account. To learn more about the projects, you can click on the name of the desired airdrop.
Each airdrop comes with a link to a website with a brief description of the project, videos and important information about tokens and airdrops. On the project tabs you can find links to necessary information such as White Paper, team, roadmap and other useful links. The design is nice and makes researching tokens much faster.
airdrop rating
The Cocoricos team analyzes each project before adding it to the platform, which means that only high-quality projects are presented on the site.
Social Media Alerts
Cocoricos.io is promoting new airdrops on its pages on Twitter, Instagram, Telegram and Facebook, Reddit, Bitcointalk.
Brief Conclusion
Pros
: The platform allows you to link accounts and perform airdrop tasks directly from the main page of the site to save your time as much as possible. The airdrops pages provide additional information and links to white papers, project details, and the team.
Minuses
: Relatively new and untested platform.
AWDL (Apple Wireless Direct Link)
AWDL is a proprietary Apple add-on to regular Wi-Fi that implements something like Wi-Fi Direct. I don’t fully know how it works, there is a special way of announcing and coordinating channels, and it only works on proprietary Apple drivers. That is, only MacBooks/iPhones can connect via AWDL.
Sad Android phone owners are still only dreaming of a properly working Wi-Fi Direct function.
But not so long ago, the guys from seemoo-lab wrote a completely open implementation of AWDL and called it Open Wireless Link (OWL). To run OWL, the Wi-Fi adapter must support monitor mode and packet injection, so it does not run on every hardware. The site has examples of configuration on Raspberry pi. This works significantly worse than the original AWDL, for example, the connection setup time is extended by ~10 seconds instead of a couple of seconds for the original, but it works.
Also, these guys wrote from scratch an implementation of the AirDrop protocol in Python, called OpenDrop. It can be used both in conjunction with OWL to launch AirDrop on Linux and with the original AWDL on macOS.
Supported devices
Unfortunately for many users, the new data sharing tool does not work on all Apple devices.
This feature requires a Mac computer that was released in 2008 or later, including:
Laptops:
- Macbook Pro 2008 release.
- Macbook Air 2008 release.
Desktops:
- iMac 2009 and earlier.
- Mac mini 2010 and earlier.
- Mac Pro 2010 and earlier.
It is important to note that to exchange data with mobile devices, you need a computer released no later than 2012 with OS X Yosemite pre-installed.
To exchange data on devices running iOS, you need:
- iPhone 5th generation and later.
- iPad Pro.
- iPad 4th generation and Air models.
- iPad mini.
- iPod touch 5th generation and later.
Many users were outraged and angry, “Why doesn’t AirDrop support iPad?” that this is pure marketing and an attempt to force users to abandon the classic device in favor of newer ones. The developers hastened to explain that such limitations are caused by the lack of Bluetooth LE technology in older devices, as well as the presence of an outdated Wi-Fi module. Therefore, some older devices, including the first generation iPad and iPhone 4s, do not support AirDrop. The same is true for computers with older networking equipment.
How to roll up via AirDrop
Typical situation with rolling up via AirDrop
Enough of the boring theory, it’s time to start practicing. So you are armed with all the necessary equipment and are ready to move forward and roll up balls using high technology.
First you need to remember the main points
:
- AirDrop will only work if the phone is unlocked
- best if the target is continuously looking at the phone. Most often this happens in places where it is boring, for example in the subway. - It takes time
- usually, a positive conversion occurs on the 3-5th image sent, so you need at least 5 minutes of quiet time in one place. I consider a positive conversion to be the moment when you agreed via AirDrop to continue communicating in the messenger. This is difficult to implement on the fly, because it is not immediately clear who accepted your payload, and most likely you will warm up before you can agree on something. - Personalized creative works better
- I call the media content that you send via AirDrop a payload. Just a picture with a meme will most likely lead nowhere; the content should be relevant to the situation and have a clear call to action.
Payload
As I wrote above, a unique payload works better.
Ideally, the picture should address the owner by name. Previously, I had to sculpt creativity using a graphic editor in the notes application and some kind of mobile Photoshop stub. As a result, by the time the required picture was drawn, it was already necessary to get out of the car. My friend Anya koteeq, specifically at my request, wrote a Telegram bot that generates the necessary pictures with a caption on the fly: @AirTrollBot. I thank her very much for the fact that I can now roll balls much more technologically than before.
It is enough to send the bot a line of text, and it will generate it in the form of an image that exactly matches the aspect ratio for the preview in the AirDrop window. You can select a character in the picture by pressing buttons. You can also optionally enable adding your Telegram login to the picture in the corner.
Payload generator
The worst part was that the picture was shown immediately on the victim’s screen without any action.
You didn't even have to click "accept". You could see the instant reaction on the face from loading the payload. Unfortunately, as of iOS 13, pictures from unfamiliar contacts are no longer shown on the screen. Here's what it looked like before: Payload delivered on iOS ≤12
Now, instead of a preview, only the sender's device name is shown. Therefore, the only way to contact a victim with iOS ≥13 by name is to set it in the settings of your device, for example, call the phone “Yulia, hello.” Hint: You can use emoji in the device name. Of course, this method is not as bright as with a picture, but it greatly increases the chance of clicking the “accept” button.
Further description of the actions is beyond the scope of a technical article and depends only on your imagination, improvisation and humor. I can only say that those who join this game and start responding to you with pictures or sending notes are usually very cheerful, open and interesting people. Those who, after looking at the picture, simply do not respond, or worse, simply reject the message, are usually boring snobs and prudes. The fear factor also often plays a role: fragile, timid people are afraid to interact with such an arrogant anonymous stranger.
Other actions
When you use AirDrop to transfer data to someone outside of your contacts, the process is necessarily different. First, the recipient must set the "Airdrop" mode to "Everyone."
Secondly, since AirDrop can't match or show local contacts, it only shows the default avatar as well as the person's name as it sets it for their device. This maintains privacy while providing functionality. You can send or receive data without worrying about the contact being leaked to people you don't know.
Automatic pick-pick machine
If you are too lazy to generate and send payloads manually, and you want to automate the process, you can make an automatic voice pick machine, which in the background will send pictures via AirDrop to everyone within range. We will use raspberry pi zero as a hardware platform, but any computer with Linux will do, the main thing is that the Wi-Fi card supports monitor mode and packet injection.
Speaker sender via Airdrop based on raspberry pi zero w + UPS Lite battery shield
There are AirDrop flooder programs for Jailbreak iPhones, they work more stable than open versions on raspberry pi
Setting up OWL on the raspberry pi is described in detail on the project website, but I prefer to use the Kali Linux build for the Raspberry Pi Zero because it already has the nexmon patches installed to enable Wi-Fi monitor mode on the rpi0.
It is important to remember that Airdrop (or rather AWDL) is activated for patients only after receiving a BLE packet. Therefore, we must send it at intervals of several seconds. This can be done using the py-bluetooth-utils utility. Using the start_le_advertising() function, I send the data string from the apple bleee examples: 0000000000000000001123412341234123400.
Once you have a working OWL daemon, you can then launch my opendrop fork. The repository contains the flooder.py script, which sends out the kak_dela.jpeg image to everyone.
According to my observations, the raspberry pi zero w is unstable in monitor mode. After about 20 minutes of active flooder operation, the Wi-Fi subsystem crashes. The problem is described by the author pwnagotchi, and is presumably caused by overheating. It is necessary to provide a watchdog or use more stable hardware
Where is the best place to exchange cryptocurrencies? TOP 5 exchanges
For convenient exchange and purchase of cryptocurrencies with a minimum commission, we have prepared a rating of the most reliable and popular cryptocurrency exchanges that support the deposit and withdrawal of funds in rubles, hryvnia, dollars and euros .
The reliability of the site is primarily determined by the trading volume and the number of users. By all key metrics, the largest cryptocurrency exchange in the world is Binance. Binance is also the most popular crypto exchange in Russia and the CIS, since it has the largest cash turnover and supports transfers in rubles from Visa/MasterCard and payment systems QIWI, Advcash, Payeer .
Especially for beginners, we have prepared a detailed guide: How to buy Bitcoin on a crypto exchange for rubles?
Rating of cryptocurrency exchanges:
# | Exchange: | Website: | Grade: |
1 | Binance (Editor's Choice) | https://binance.com | 9.7 |
2 | Bybit | https://bybit.com | 7.5 |
3 | OKEx | https://okex.com | 7.1 |
4 | Exmo | https://exmo.me | 6.9 |
5 | Huobi | https://huobi.com | 6.5 |
The criteria by which the rating is given in our rating of crypto exchanges:
- Reliability of operation
- stable access to all functions of the platform, including uninterrupted trading, deposits and withdrawals of funds, as well as the period of operation on the market and daily trading volume. - Commissions – the amount of commission for trading operations within the platform and withdrawal of assets.
- Reviews and support – we analyze user reviews and the quality of technical support.
- Interface convenience – we evaluate the functionality and intuitiveness of the interface, possible errors and failures when working with the exchange.
- Features of the platform are the presence of additional features - futures, options, staking, etc.
- The final score is the average number of points for all indicators, determines the place in the ranking.
Maniacello mode - I know your number
If you want to show yourself as an inadequate maniac and forever discourage the desire to continue communicating with you, you can try to find out the phone number of the person who is nearby.
As we learned earlier, the BLE packets sent by the initiator contain the first three bytes of the sha256 phone number. This hash can be caught when the victim clicks the “share” button and starts scanning airdrop devices or taps the Wi-Fi password for a new network in the input field (in this way, Apple looks for friends within range from whom you can request the network password).
You will need to somehow trigger the hash message from the victim and catch it. I use utilities from the Apple Bleee repository. Since Bluetooth MAC addresses of devices are random and constantly changing, you will have to find another way to determine the desired device in this list. The task is simplified by the fact that iOS broadcasts the current state of the phone like: screen off, screen on, lock screen, unlocked, etc. Therefore, simply by observing the actions of the victim, you can compare the current state of the device with the device in the table. The easiest way is to catch the moment when the user takes the phone out of his pocket, turns on the screen and unlocks the phone with his finger or face. All this will be visible in the sniffer.
X icon
means that a packet with phone hashes was caught.
Their parser sometimes breaks, but most often it works. I will not completely retell the essence of the vulnerability, since it was analyzed in detail by the authors of Apple Bleee, I will only describe my experience. I’ll just say that I use a USB Bluetooth adapter on a CSR 8510 chip, since it works much more stable for me than the Bluetooth adapter built into a MacBook and inserted into a virtual machine.
So we caught the hash from the victim’s phone and received the coveted three bytes from the hash of the phone number.
Intercepted BLE packet with phone number hash using the read_ble_state.py utility
We know that in Russia all mobile numbers begin with the code +79 and, most likely, our victim’s phone has the same code. It turns out that we have a range of numbers from +79000000000 to +79999999999, about a billion numbers.
To narrow the range, we take only the codes that are actually registered with any operator and discard the rest. As a result, the range becomes half as large, about half a billion numbers.
Next, we generate sha256 from all numbers and save only the first 3 bytes from each hash. We enter this list into the Sqlite database and build an index to speed up the search.
This is what the data in the database looks like:
All Russian phone numbers and the first three bytes of the hash
Next, having the hash of the victim, we can search for all matches in the database. Usually there are 15-30 matches per hash.
All numbers that match the victim's hash
Obviously, not all of these numbers are actually used. We can cut off the unnecessary ones using an HLR request or an invisible SMS. Out of 30 numbers, 5 were found online.
The result of the HLR request. Network numbers are highlighted in green.
I could continue to sift through the numbers, for example, add them all to Telegram/Whatsapp and look at the avatars, check through databases like Getcontact and so on. But it turned out to be easier to just call all five numbers one by one and watch when the victim’s phone rings.
Target located
What are Smart Airdrops?
Smart airdrops is a token distribution designed for specific users.
Just as marketing campaigns create user profiles to determine who their audience is and how to target them, Smart Airdrops are designed to attract only those users that the network itself wants.
What is the difference?
Smart airdrops mean that the project understands which users it wants to attract before the coins are distributed. This choice may be based on:
- Location
- Demography
- User interests
Todo
- The flooder on the raspberry pi is very unstable, you need to try other single boards.
- A native flooder for iOS would be much better, but I couldn’t find one that works on iOS 12-13 even with jailbreak.
- The flooder.py script is very stupid. It could probably generate a personalized picture by taking the name from the recipient's device name and cutting out the word iPhone.
- The method of determining a phone number can be optimized by checking only the fact that the number is linked to iMessage. This will most likely give you close to a 100% hit rate.