$70 device can steal passwords from your iPhone in the sneakiest way possible

Jae Bochs hack device
(Image credit: Jae Bochs / TechCrunch)

A $70 homemade device on show at one of the biggest hacking conferences on the planet has revealed how thieves could trick you into handing over your iCloud password (or any other credentials for that matter) without you even noticing. 

The makeshift contraption, which looks like something the Joker would use to set off a minor explosion, caused chaos at Def Con as part of a research project designed to “have a laugh” while also revealing to people just how important it is to turn off your Bluetooth properly if you want your iPhone to be safe from unwanted overtures. 

As TechCrunch reports, hacker Jae Bochs wandered around Def Con triggering pop-ups on fellow convention guests' phones with the custom-made device, a mish-mash of a Raspberry Pi Zero 2 W, two antennas, a Bluetooth adapter, and a battery. 

Thanks to Apple’s Bluetooth low energy protocols, devices can communicate with your iPhone using “proximity actions” to deliver a pop-up on your iPhone. The alert, in this case, took the form of Apple’s ingenious Apple TV Keyboard Password AutoFill feature. The convenient popup normally lets you type passwords for things like your Apple ID, Netflix, and more on your Apple TV using your iPhone’s keyboard, rather than the arrows on your remote. 

The device

As it stands, in theory, a device like this could be used to trigger an alert on the iPhone of any unsuspecting person, who might, in a momentary lapse of concentration, enter a password without thinking. This highlights a need to not only be wary of your Bluetooth settings, but also any random popups asking you for passwords or log-in credentials you weren’t expecting. 

“Bochs estimated that this combination of hardware, excluding the battery, costs around $70 and has a range of 50 feet, or 15 meters,” the report states. The proof of concept “builds a custom advertisement packet that mimics what Apple TV etc. are constantly emitting at low power,” triggering the pop-ups on nearby devices. 

Of course, as a practical joke/warning exercise, Bochs’ tool wasn’t primed to accept any data, even if someone did fall for the prank, but a bad actor with the same tools could definitely “have collected some data.” 

“If a user were to interact with the prompts, and if the other end was set up to respond convincingly, I think you could get the ‘victim’ to transfer a password,” Bochs warned. 

Bochs, unfortunately, believes that "Apple won't do anything about this." The issue lies with the core programming at the heart of the low energy protocol, something that, in Bochs’ eyes, "is certainly by design, so that watches and headphones keep working with Bluetooth toggled.” Inherent flaws or not, Apple wants the feature to work — to fix it would be to break it.

The moral of the story is that if you want your iPhone to be totally safe from rogue Bluetooth incursions like the one explained here, then you need to turn off Bluetooth on your iPhone. Properly turn it off. Selecting the Bluetooth toggle in the Control Panel doesn’t completely turn off your Bluetooth, because it continues to work with proximity-activated beacons. To turn off Bluetooth completely, you need to head to your iPhone Settings, Bluetooth, and then select the green Bluetooth toggle at the top of the page.  

Stephen Warwick
News Editor

Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design. Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9