06-30, 14:00–15:00 (US/Eastern), Grand Salon
We take a deep dive into the wireless protocols that power the Apple Watch and its deep integration into the Apple ecosystem, reversing and re-implementing them as we go — starting from foundational transport protocols all the way up to synchronization of sensitive sensor data. Along the way, we will encounter many a proprietary protocol, flawed implementations of standards, and homebrew cryptography endangering Apple's famously strong security.
With Apple adding new hardware capabilities to the Apple Watch year over year, modern watch models boast an impressive number of sensors in a tiny package: Your watch can track your location, do advanced activity detection, measure your heart rate, blood oxygen levels, skin temperature, and even take ECG readings. Beyond collecting intimate health data, the watch also integrates deeply with your iPhone — it can access your phone's camera, share its internet connection, and synchronize many different kinds of data.
Over the last year, we spent countless hours staring at iOS daemon binaries, hooking message handling functions with Frida, and iteratively re-creating the protocols we encountered. We now present a detailed breakdown of these protocols powering the seamless wireless communication between the Apple Watch and the iPhone, including the Alloy message bus, the SHOES proxy (yes, really), and the Network Relay Link Protocol. None of these protocols have ever been publicly described before. Working our way up from plain Bluetooth / WiFi captures, we eventually gain a full understanding of the Apple Watch's inner workings and can follow a heart rate sample from the on-board sensors all the way from encoding through encryption, transmission, and storage.
While we focus on our reversing and reimplementation work in this presentation, we also present two interesting security flaws that we encountered digging through Apple's proprietary protocols, both of which were reported to Apple — we might even have a Frida PoC for some issue or another.
Finally, we introduce WatchWitch, our Android-based reimplementation of the Apple Watch protocol stack that allows us to communicate with the watch on our own terms — synchronizing health data, sharing internet access, sending notifications and more.
Somehow — and without ever having owned more than an iPod — Nils fell down the Apple rabbit hole and now spends their days reverse-engineering Apple's devices and uncovering the bits of magic hiding inside the machines that surround us every day. After a long day of breaking things with Frida in new and interesting ways, they also enjoy building new stuff once in a while. Currently, they are pursuing a PhD in computer science at the Secure Mobile Networking Lab (SEEMOO) of TU Darmstadt.