Attendees at Def Con, one of the world’s largest hacking conferences, are used to weird shenanigans, such as a seemingly innocuous wall of computer A researcher built a $70 contraption designed to send pop up prompts to nearby iPhones, which could trick targets into giving away their password.
The other was “to have a laugh,” according to Jae Bochs, the security researcher who said they walked around the conference triggering these pop ups with a custom made device.
Bochs told TechCrunch that all they needed for this experiment was a contraption consisting of a Raspberry Pi Zero 2 W, two antennas, a Linux-compatible Bluetooth adapter, and a portable battery.
“Proximity is determined by BLE signal strength, and it seems most devices intentionally use lowered transmit power for these to keep the range short.
Unlike real Apple devices, his contraption wasn’t programmed to collect any data from nearby iPhones, even if the person tapped and accepted the prompts.
The researcher said these issues are already known, at least since a 2019 academic paper that studied Apple’s Bluetooth Low Energy protocol and concluded that there are “several flaws” that “leak device and behavioral data to nearby listeners.”
“Individually, each flaw leaks a small amount of information, but in aggregate they can be used to identify and track devices over long periods of time,” the researchers wrote in the paper.