Home / iPhone / Apple's AWDL protocol plagued by flaws that enable tracking and MitM attacks

Apple's AWDL protocol plagued by flaws that enable tracking and MitM attacks


Apple Wireless Direct Link (AWDL), a protocol installed on over 1.2 billion Apple devices, contains vulnerabilities that enable attackers to track users, crash devices, or intercept files transferred between devices via man-in-the-middle (MitM) attacks.

These are the findings of a research project that started last year at the Technical University of Darmstadt, in Germany, and has recently concluded, and whose findings researchers will be presenting later this month at a security conference in the US.

The project sought to analyze the Apple Wireless Direct Link (AWDL), a protocol that Apple rolled out in 2014 and which also plays a key role in enabling device-to-device communications in the Apple ecosystem.

While most Apple end users might not be aware of the protocol’s existence, AWDL is at the core of Apple services like AirPlay and AirDrop, and Apple has been including AWDL by default on all devices the company has been selling, such as Macs, iPhones, iPads, Apple watches, Apple TVs, and HomePods.

German and US researchers reverse-engineered AWDL

But in the past five years, Apple has never published any in-depth technical details about how AWDL works. This, in turn, has resulted in very few security researchers looking at AWDL for bugs or implementation errors.

However, due to the protocol’s growing ubiquity in the daily lives of all Apple users, in 2018, a team of TU Darmstadt academics — later joined by academics from Boston’s Northeastern University — decided to take a look at AWDL, and how the protocol works.

“Considering the well-known rocky history of wireless protocols’ security, with various flaws being repeatedly discovered in Bluetooth, WEP, WPA2, GSM, UMTS, and LTE, the lack of information regarding AWDL security is a significant concern given the increasing number of services that rely on it,” the research team said.

To study it, researchers reverse-engineered the AWDL protocol and then re-wrote it as a C implementation named OWL (Open Wireless Link), which they later used to test the real AWDL protocol for various attacks.

AWDL vulnerabilities

“Our analysis reveals several security and privacy vulnerabilities ranging from design flaws to implementation bugs enabling different kinds of attacks,” the research team said.

As a result of their work, researchers discovered:

  1. A MitM attack which intercepts and modifies files transmitted via AirDrop, effectively allowing for the planting of malicious files.
  2. A long-term device tracking attack which works in spite of MAC randomization, and may reveal personal information such as the name of the device owner (over 75% of experiment cases).
  3. A DoS attack aiming at the election mechanism of AWDL to deliberately desynchronize the targets’ channel sequences effectively preventing communication with other AWDL devices.
  4. Two additional DoS attacks on Apple’s AWDL implementations in the Wi-Fi driver. The attacks allow crashing Apple devices in proximity by injecting specially crafted frames. The attacks can be targeted to a single victim or affectall neighboring devices at the same time.

A demo video of the first attack is embedded below, showing how researchers were able to modify files in transit, sent via an AWDL connection.