0:00 - 0:14 Musiikkia

Alex on tohtoriopiskelija ja tietoturvatutkija, jonka työ keks our next speakers Alex and Jiska will be talking about Apple's Rainbow Bridge for satellite communication code named bifrost Alex is a PhD candidate and security researcher whose work focuses on proprietary protocols such as find my ultra wideband and satellite Communications

Kuten Find My, Ultra Wideband he's the person behind the air guard app which is one way which you can find if somebody has snuck an air tag into your bag and is tracking you surreptitiously

Jiska puolestaan meanwhile yka breaks things and her unicorn which is typically wearing a tin foil hat but left it at home
uh she started her own research group at hassop platina

Annetaanpa raikuvat aplodit Alexille ja Jiskalle

Jiska: Kiiitos

´Hieman minusta. Vedän

and uh today as I said they're going to talk about talking to the Stars so let's have a huge round of applause for Alex and yisa
thank you for this great introduction and also thank you everyone for being here and this room is crowded wow so there's still a few seats left but yeah thank you uh
today we are going to talk about Bifröst be trust which is a code name for the Satellite Communication in your iPhone if you have an iPhone 14 or 15
so yeah a little bit about me I have a research group at HPI
so if you want to do some research with me please feel free to contact or if you have any questions
and with this I'm handing over to Alex who is going to tell you more about the basics
okay so I'm Alex I'm a security researcher and a PhD candidate at the tech University of dad
and uh I like to look into new propriety protocols
and here we looked into the satellite feature of iOS and um
first we want to explain the code names here so we have Stewie and bifrost
and Stewie is basically a name for the satellite transmission unit stew
and that's the iPhone uh which is your Stewie
and then we have BOS which is a mythological name for the rainbow Bridge from Earth to Heaven
it's uh from Scandinavian mythology and uh Apple uses that for the satellite communication
so what can you do when you have Satellite Communication in your iPhone
so one of the main features is that in any case of emergency whe
re you don't have any cellular service
you have the option to contact emergency services over the satellite communication
and that works by filling out a simple form that describes your emergency and then it sends your location and additional text messages to the emergency services
and they can reply to you and ask you things back
um it's not about a phone communication so it's all text based
but it works uh pretty well if you are in case of emergency
a feature that has nothing to do with emergencies but it's also added by Apple is find my over satellite
so when you are out and about out in on a big hiking trip and you're camping somewhere outside in the mountains there is no cellular coverage you can share your location with your friends over find my
uh in the same way as you would do normally
in the find my app
but here you have to uh jump through through some hoops and direct your iPhone at the satellite to do that
um only thing that has to be set up here before is that you have to have a location sharing ongoing
with some friends you cannot set it up while you're on the go uh another thing that's already there is the demo mode it's used to allow people to train how they use the satellite feature so for example when you get into an emergency then you it's better to know how do I actually send the message to the satellite because there are some things you need to consider and the demo mode trains you to do that you can find it in the settings and uh in the emergency SOS yeah so um satellite communication needs satellites uh for this apple uses the global Star Satellite Network it's a vast Network that has about 70 active satellites uh it's not really 100% sure with how many satellites are still active from the first generation but uh basically Apple has bought in 80% of the coverage of this network and they have ground stations and uh transmission units the iPhone is one of these transmission units so when you send a message to the satellite it will forward your m
essage to the ground station which has an internet connection and then can do anything that's needed with the incoming message and the cool thing here is that these satellites they have been based in a future uh designed in a future prooof way um they are basically called Bend pipe satellites so your message goes up and then it's like a Bend pipe and it's just directed down so it doesn't matter which um encoding scheme or which uh modulation scheme is used uh Apple can use the most fancy and current version and it will still be compatible with satellites that have been launched 20 years ago um they also called mirrors and space so you can also imagine that as a feat um me metaphor for it and when you sent your find my message for example to a satellite then that satellite will just forward it to ground station and there are about 20 more than 20 worldwide and this ground station receives the signal and had there's an apple server placed there so it goes directly through the internet to iCloud and your friends they can access the location from the internet so that's how the satellite communication Basics work and now it's about how did we actually go and try to reverse engineer it yeah what reverse engineering options do we have I know today there was a talk that I think they released a bug that will be useful for jailbreaking iOS 16 on iPhone 14 but when we did this research this was not available to us so what could we do on a NJ broken phone so at least we can do static reviews engineering and stare at the locks and apple has a very useful tool that helps us with this so there are so-called profiles or debug profiles that you can install on a non-jailbroken phone and increase the lock verbosity with the Bas band debug lock you can even get all the bites that are sent from the Bas band Demon called com Center to the modem to instruct it to do certain things with the satellite so here you can see such bites from the the log but it still doesn't look very readable so
yeah we get the bites but what do they mean for this task I had a very skilled student Lucas who is also giving a talk on the uh day three about Rog Bas station detections with just stock iPhones and he developed a vhar detector for qmi including all the proprietary messages from Apple so not just standard baseband uh qualcom public C my stuff but really the internals that that you need to understand the satellite communication so your 5G modem will not only send 5G signals in the iPhone 14 but satellite signals and it starts with a basic orientation thing so you have to point your phone into a direction and tell the modem where the phone is pointing at together with some configuration where the set slides are so there's a lot of initial config so that they find each other and in the next protocol steps we then have some security stuff like some activation some LLC key that Alex is going to tell you about and the frequency configuration they are communicating at and so on then we proceed with a registration step do some more security config or like get the security contract with the LLC key confirmed and once we did that we finally say the modem like here is the message that we want to send like the find my location this whole thing with this activation registration and security config only happens when you really use it for find my so this is something that will not happen in the demo mode there's no actual data transmission and finally we will update the loc or like the orientation a few more times see a progress bar it's never exactly accurate like sometimes it just jumps from 30% to success and once it's actually succeeded we get an acknowledgement that the message with this ID has been sent and finally we close the satellite connection like it drains the battery and stuff so we find my we just send the location and then we go back to normal operation but that again depends on your use case so yeah we have this dissector we can look into it a bit but still like
this doesn't feel like reverse engineering so much like how does it work internally what did Apple do and what can you do without a physical iPhone 14 jailbreak well at least you can try corellium here because of the software configuration the phone would think it has some sort of satellite features even though this is like it doesn't have a physical modem but at least it thingss features are there luckily we also got a security research device from Apple but when you apply you will always get the model from the year before so we only had an iPhone 13 mini which has no satellite feature but it would be great if we can make this one thing it would have satellite so that we can do more testing together with stuff that we learned from corellium and for this I'm now diving a bit into very technical internal components so Alex told you you can test uh the demo mode in the settings so you get this special button in the preferences and if you click on try demo then there is an xpc message being sent to com Center which is like the base band Demon doing all your telepon stuff calls internet connection and this in turn uses a URL scheme to open an app with an argument like this is the emergency try out and then com Center and SOS buy will play a central role where both of them communicate with each other so SOS body is more like the UI and com Center keeps the state with the satellite connection and even if you have the SOS body app in background com Center will just keep going with those updates and you might notice this pizza icon so I think Apple was running out of Wireless symbols or something and uh yeah so we we have pizza since iPhone 14 I had this idea okay so basically it's an URL scheme we open URLs so I just take a NJ broken phone I make my own app where you can just open all the URLs that I AES statically R engineered directly uh surprise it only works for the Emergency tryy out that we can already access through the settings it doesn't work for anything else uh
because com Center is missing certain State uh and would just refuse to continue whatever you were trying to do with the SOS body because SOS bu State and com Center State wouldn't match so I was like okay how how can I fake all of this until I make it to have a research device where I can look into this so I had an iPhone 14 no jailbreak but actually the modem that talks to a satellite and I had a security research device again not the modem but at least it has iio 16 which supports at least software viice in F maybe a bit of satellite communication I just wanted both so yeah how how do you do that did you know that your phone has a radio personality and the radio personality would tell the phone which features the radio has like does it have satellite does it have 5G 4G and when this personality is created you can look into the code do a bit of reving naming things you would figure out it loads the feature configuration from multiple places uh one of them is I guess also very well known around jailbreaking uh which is from lip mobile gal so this is a property list that basically tells a lot of properties that your phone has and from here we get a couple of properties like a hardware config which is just a number that describ like the model that you have a bit more abstract plus the actual name of Ione model that you have and so on and then there is a second thing where it takes s and capabilities off which is uh the feature flags and the feature flags are again just a property list that here say um specifically core telepon be frost so here's one of the many instances where we have some names and yeah so these two things if they exist we seem to have satellite enabled so this is what I observed on corellium and just try to reproduce on a research iPhone 13 on my first try I was okay just replace the property list but the issue then is that the iPhone 13 would try to load an iPhone 14 uh firmware that is not there and even if you put it there then like it just wou
ldn't really work too many dependencies and stuff uh but if you hook things up with Freda then you can replace only the hardware uh config version in exactly this place and not the other places of com Center and that would help with the initialization of this radio personality and luckily on an iPhone 13 uh there's already the brost feature flag so in software like almost everything is there then there is a couple of more hooks I had to do uh if you want to see them they outlined in my obts talk um so Alex Meed a talk at objective by the Sea so there just couple of things there uh but the most important part Dennis you saw all those logs of like the the captures from the satellite and because we don't have a physical modem that supports this communication we have to hook a couple of things to make it believe like yeah the modem is taking everything uh so we hook the send and receive direction to the the basement modem uh and fake some replies and H A couple of messages and when we do this we actually get satellite on an iPhone 13 mini so yeah here you see it
[Music]
so obviously this is not being sent to a satellite but that's also a feature because now we can experiment with this without causing any emergency so for me that's a good thing um we can also try a couple of more features so there is this emergency SOS uh there is the try out uh that you might have just seen yourself uh also an interesting thing that I guess many people are not aware of additionally like when you have an accident like like there's a fall and a crash detection and if that triggers then there is automatically an emergency call being made on purpose of you even if you're no longer Consciousness or something but um here if the normal mobile connection doesn't work it would also try satellite so that's the third feature and last last there is the find my uh which is also like working very nice and I got this to like really believing the phone that the location has been sent successfully so yeah that that's all modes and we can trigger them we can research them uh but now you might ask okay what doesn't even help if you don't have like a physical modem and just the phone with everything mocked what kind of in does this give to you well there is one important thing which is the stey and bifrost configuration so if you have steer available on an iPhone it would configure a lot of things and then you can research how how it would take place like you cannot really look into those files from a software image because they are downloaded actually on on the flight to configure your phone and the first one of these uh is a so-called uh like com Center has like an a permission for entitlement that's called uh trial client and trial is actually a trial demon and the trial demon is super interesting like it would just download uh features or configurations from the internet so without having a software update just with a configuration update Apple can decide that your phone is now getting certain beta features or certain configurations and here we see a Target prope
rty list and uh config property list another uh thing uh that yeah or like this is what we see then so here is some plotted version of the the target property list so we see actually where the satellites are the config also contains like where CR stations are and a lot of other things uh I think these uh twool line elements they are only in there for around 30 days so every now and then you should go online with your phone for this to work and to refresh the configurations uh another configuration there is that Apple tells you in the config property list in which countries and on which channels you can use uh the emergency over satellite features so it's more like a software configuration not really like actual update the last thing that's downloaded on the Fly is even more interesting so the com Center would contact the mobile asset demon and tell like hey I want to download a codec and a codec would be for German or English language and that's a compression codec for the specific language so when you type some texts to save uh some of the transmission um capabilities so that you yeah are low in BWI actually um yeah and with that let's look how does this location sharing on top of all of this work yes so to we've primarily focused on the find my location train to not cause any emergencies and uh why we looked into that I first wanted to understand okay how does normal location sharing work when you use find my so many people that have an iPhone probably know this feature you can go into the find my app add some friends that can see your location for a day for a week uh for all the time and but how does actually your location their location come back to your phone so the cool thing is it's not that your iPhone continuously tracks you and sends the location all the time to Apple and then your friends can just check it when they want to see where you are uh it works like that that when your friends request your location and there's no recent location update from your
iPhone because your iPhone was using the find my app you will get a push notification to the iPhone and that push notification triggers the service on the iPhone that will fetch the current location and if the person wants to see your live location it will start live location updates as long as they require to see it so that will send that all your live locations back to Apple and as soon as they arrive at Apple's server they are forwarded as push notifications back to your friend and this friend can then see where you are um and get live updates for this so here we can see my friend yiza she's uh in the conference center so that's where I expected her to be and the to make this all secure Apple decided to use end to end location encryption so your location data that's actually shared to your friends is not visible to Apple so every time your iPhone sends the location it uses this ECI encryption and a friends key these friends keys they are generated and every friend has one key that all the other friends know and with this key and ecis ecis encryption scheme uh the location uh will be transformed into encrypted format and in the background ECI is B basically just a term that describes uh a lot a range of encryption schemes and in the end this will be just AES um in the GCM mode so it's also secure from this side that's a good idea but how does it then work when you want to share your location over satellite because there are different problems you cannot send uh maybe the full location data because it's uh too much data and Apple has thought about this but they also need to sec Ure the satellite interface because if I can just uh send anything to the satellite and the satellite will be overloaded uh it's impossible for the people to uh use it for location sharing so for this they have these LLC keys and they are generated up front so that's an an interesting thing we saw as soon as we onboarded our iPhone 13 mini to have the satellite features it started generating
these keys and we saw them in the iOS keychain so these keys are generated on your iPhone securely in the secure Enclave chip they never leave this chip but of course you can export a public key or use these keys for signing or encryption um and that's done during the initial provisioning so for this the iPhone needs internet access because um these keys are all shared with apple your iPhone I think generates 30 of these keys and each key can then be used for Sat one satellite communication and so to sync them all the keys are uploaded to Apple the public keys and then Apple generates one unique key for each of your keys and sends them back so you get a range of public keys from Apple your iPhone saves them alongside the keys that it has generated securely on its phone and then you can see in the keychain there are these they labeled com apple com Center LLC that's your private key you can see there is no key information because it's stored uh it's saying SE token so it's in The secq Enclave uh on the right side you can see public key from Apple where you can see actual key information and you can see that the key label matches on both sides so you have one server key from Apple that is matching your private key so what can you do with that there's a very simple scheme elliptic curve defy Helman is used to generate a shared secret which can can then in turn be used to uh encrypt uh data for example so now you want to start and transmit your location to the satellite so the next step that Apple has thought about here is they were like okay we need to reduce the data size so they use a format called light location in a light location you still have latitude and longitude and an accuracy value uh but you are not using double you just use infer two values and to do that they just multiply it and convert it to an integer and in the end it's just n bytes of data to share your full location but it's obviously not having your current speed in there it's not having uh your
elevation and things like that um so how does it look like it's very simple you just convert it and then you have an integer value you can share that's a scheme that's actually used in the a teag so it's not something Apple just made up for this one so every time you your iPhone encounters an Airtech that someone has lost somewhere uh your iPhone will also generate a light location information and send that to Apple and that's obviously not done to save band with for the Internet it's done to save bandwith on Apple's side they don't want to have loads of location data in their database it's enough to just have a very simple format here so then the satellite transmission goes on you have the friends key that we already know it's saved on your iPhone the light location same encryption scheme and then you have the encrypted format then your phone needs to transfer this to the satellite so uh first everything goes to the modem including your LSC keys and then the modem does all the magic sending it out to the satellite here that's one area of active research because qualcom modems they're not Arm based so it's quite difficult to find out what actually is happening with the data how it is sent out maybe they're doing some formatting on top of it but that's uh what we're currently looking into so then you have uploaded your location to the satellite it's going down to the ground station and then to Apple's Cloud so your friends can access it and that's basically how the location sharing on F my works then when we go to emergency SOS Services there are different things uh to consider so how do I actually start that might be interesting for you so uh when you try to call emergency services and you don't have a Cellular Connection your phone will try to use other cellular towers from not your operator but then if they are also not available then you will get a screen like we see here on the right side where you can go to emergency text and you can uh start texting the Emerge
ncy Services or what happens when you have an automatic crash detection that's what we see on the right side uh it also starts to call emergency service automatically but if that fails because we don't have a connection you will uh it will try to send out a text over satellite immediately and the cool thing here is um it actually transfers additional information because there's more things that are needed for emergency services they want to know um obviously the whole questionnaire is going to be transferred then all the text that you're sending there's the initial text or you can just see here but then you go into a chat window so you can add more information uh but also it always transfers your battery in the range so if your battery level is known to them so they know okay your battery is below 10% so you might go offline any time so then they can use that and then also location updates are sent continuously and these are more accurate because you might might be uh on the top of a mountain so elevation data is relevant here so it's also sharing that with the emergency services but all this is using a very packed format so it's they use a bitwise writer that uh writes each single bit to save as much space as possible um then we thought okay how can we or could someone misuse this satellite feature of course uh ah Don't Clap not yet so U what would be possible to do so obviously we want to send messages for free because we have an ability that we can always use uh we can share the location to our friends it can only be used every 15 minutes but uh we can still maybe send some text over this then uh the bandwidth of satellites is limited that's why apple is enforcing this 15 minutes limit they have millions and billions of users but obviously not all of them are doing location sharing of a satellite all the time but they have to limited to some point to just keep the satellites working um so how could we then use text messages on location data um so when we have loc
ation data we have values in the latitude from minus 90 to Plus 90 and a longitude from 0 to 180 so we have these values here that we could use that's eight bytes of data and we could basically map an alphabet on GPS coordinates so when we use uh lowercase and uppercase letters and numbers that would be make up 62 characters then uh we have a 10 digigit space that we could use uh two digits could make up one character when we want to keep it very simple so that would be five characters per coordinate enough to write hello world for example so that what was what we tried out but then Apple was a bit smarter than us because the idea was okay you can say the location of an iPhone to fake location and that fake location actually contains data that we want to share but when you set it to a fake location the iPhone knows that and since we don't have a j broken iPhone 14 where where we can actually manipulate data on the Fly um this fake location detection would just remove us from using uh um Satellite Communication at all and this locked me out I know for like a week or two weeks out of using any satellite communication and I was like ah maybe in the city it's too crowded I don't know I I go outside in the park I tried loads of things didn't work and I think it was that thing uh yeah so apple is smart here and don't try it out because maybe you're an emergency and then it doesn't work that would be a bummer so yeah better wait for a solution but uh the solution will be the iPhone 14 jailbreak so when it is available hopefully soon and uh yeah I think that's the end of our talk thanks everyone for attending it and we have some time for questions I
[Music]
think great for those of you in the room you can see we have four microphones two on the left and two on the right your left is not my left but it doesn't matter we'll figure it out for those of you on the internet we are monitoring Matrix we are monitoring Mastadon in the fediverse and we're monitoring IRC we are in the Granville Room so use the appropriate hashtags and IRC channels there uh we have only well actually we have a bit more time than than we thought so we have about 6 minutes for questions and let's start already with microphone number one hey hello thank you for the talk so my question is is you mentioned they using as GCM but as has a block size of 16 bytes so I expect them to always be sending 16 bytes by satellite right so do they do that or is it really just sending nine bytes um they actually send just nine bytes as far as I know but there is more data to be sent for example they also have to share the public key they're using for the encryption for the friends the friends public so ECI also generates always anmal public private key pair so the public key pair that's generated or the public key of that pair has to be shared as well in the end they are sending 83 bytes of data for this but uh I think for the a GCM they keep it to the nine bytes don't pin me on what how or why I didn't look into that okay thank you all right let's go to the other side of the room in the front uh naive it might be a naive question but since this is a redirector satellite of you said as you said have you tried just sending in more data maybe they just pass it through just as well that doesn't work without a jailbreak yes but assuming that you will have the jailbreak and reverse engineer what happens and you would reimplement the protocol just without the iPhone for example if you want yeah it's difficult to say because the satellite is just a bent pipe so the whole logic of how things would be blocked or something is like all in the closed implementation on on Apple
Sand so it might work and we also tried to reimplement it without the iPhone but the problem is the modulation here so we did we probably know which kind of modulation it uses but we haven't managed to De demodulate or modulate our own signals in this I think here yeah all right before we go to another question in the room do we have any questions from the internet and please as you're leaving the room try and keep it quiet so we can finish the questions and take any bottles you find or trash we we do have a few questions from the internet however some of them may already be answered so um the internet is especially interested in the details of the physical communication with the satellites so if you can go into any detail there um do we know the frequencies the size of the messages and and any um is it would it be possible to look at the signal um with say an SDR receiver or something like that so yes it's possible to record the signal with an SDR we did that um it's around 1.6 GHz the frequency that's the normal frequency for all ground to satellite communication so that's where you would expect it and you can find more information about for example which modulation scheme it uses in the FCC reports from Apple so so there is some information there so it's also possible to record it probably possible to send it but the problem is uh modulation is not always easy so there's some things to be done to finish this yeah microphone number one yeah you mentioned that you create 30 um encryption keys and shareed with apple do I assume correctly that after using those and not having Internet you can't send any more messages out yes like there is I think 30 or so keys but there is also Last Resort Key and probably that's then being reused have you tried exceeding the limit yet or I know that one of our student tried it and he was not able to send messages anymore but it also could have been because the iPhone hasn't been online for like 2 weeks 30 days and it didn't know wh
ere the satellites are so yeah probably you can still send messages with this Last Resort Key okay so there like valid for like unlimited messages until Apple decides yeah that's that's yeah there is always one keyword marks okay this is last resort okay perfect thanks do we have another question from the internet maybe we we we do yes um question is there any information on how much apple pays to Global star and whether iPhone users will be charged for this feature in the future no they plan to charge people but I guess not for emergency services but I don't have any information microphone one again uh you mentioned that the satellites send the data to some sort of base station how does this base station know from which iPhone the request came from um the base station itself probably doesn't know but the server in the base station from Apple can receive the message decode it and then find out okay it's signed we don't know if it's signed or encrypted by this LLC key that has been shared with apple before they're always linked to an Apple ID so Apple knows okay it's this Apple ID that has sent this message with even this device so there's also some information saved on Apple site so you don't have to transfer your Apple ID for example with the message all right thanks and do we have time for one final question from the internet maybe one question is um if um um if I send the public key to Apple which is then forwarded to my friend can't Apple generate its own key and send their own public key instead to my friend so basically do a man- in the- Middle attack to that communication so that they can decrypt their location the location send depends on how they share the keys I would say so I haven't fully found the place where the keys are actually being generated and shared I just know they exist and when they change and when they do not change for example they don't change if you leave one of your friends is kicked out of your friends list uh no then they are changed b
ut when you add one then it's not changed so things like that I know but I don't know how they are generated so I cannot say if Apple could sneak in there all right let's give a warm warm warm Round of Applause and thank you for Alex yisa and y's
[Applause]
[Music]
unicorn