seemoo-lab / openwifipass Goto Github PK

View Code? Open in Web Editor NEW

796.0 26.0 32.0 32 KB

An open source implementation of Apple's Wi-Fi Password Sharing protocol in Python.

License: GNU General Public License v3.0

Makefile 4.31% Shell 2.31% Python 93.38%

apple password-sharing wifi opack reverse-engineering

openwifipass's Introduction

OpenWifiPass

An open source implementation of the grantor role in Apple's Wi-Fi Password Sharing protocol.

Disclaimer

OpenWifiPass is experimental software and is the result of reverse engineering efforts by the Open Wireless Link project. The code serves solely documentary and educational purposes. It is untested and incomplete. For example, the code does not verify the identity of the requestor. So, do not use this implementation with sensitive Wi-Fi credentials. OpenWifiPass is not affiliated with or endorsed by Apple Inc.

Requirements

Hardware: Bluetooth Low Energy radio, e.g., Raspberry Pi 4

OS: Linux (due to the bluepy dependency)

Install

Clone this repository and install it:

git clone [email protected]/seemoo-lab/openwifipass.git
pip3 install ./openwifipass

Run

Run openwifipass to share Wi-Fi credentials (SSID and PSK) with any requestor (we need super user privileges to use the Bluetooth subsystem):

sudo -E python3 -m openwifipass --ssid <SSID> --psk <PSK>

Use quoting of your shell to remove special meaning of certain characters in SSID/PSK. In the example below, we use single quotes (') to prevent shell expansion of the $ character in the PSK.

A successful run of the protocol would look as follows:

pi@raspberrypi:~/openwifipass $ sudo -E python3 -m openwifipass --ssid OWL --psk '$uper$ecretPassword'
Start scanning...
SSID match in PWS advertisement from aa:bb:cc:dd:ee:ff
Connect to device aa:bb:cc:dd:ee:ff
Send PWS1
Receive PWS2
Send M1
Receive M2
Send M3
Receive M4
Send PWS3
Receive PWS4
Wi-Fi Password Sharing completed

OPACK

This projects contains a reusable OPACK (de)serializer. Read OPACK.md for more information.

Authors

Jannik Lorenz

Publications

Milan Stute, Alexander Heinrich, Jannik Lorenz, and Matthias Hollick. Disrupting Continuity of Apple’s Wireless Ecosystem Security: New Tracking, DoS, and MitM Attacks on iOS and macOS Through Bluetooth Low Energy, AWDL, and Wi-Fi. 30th USENIX Security Symposium (USENIX Security ’21), August 11–13, 2021, virtual Event. Link.
Jannik Lorenz. Wi-Fi Sharing for All: Reverse Engineering and Breaking the Apple Wi-Fi Password Sharing Protocol. Bachelor thesis, Technical University of Darmstadt, March 2020.

License

OpenWifiPass is licensed under the GNU General Public License v3.0.

openwifipass's People

Contributors

Stargazers

Watchers

openwifipass's Issues

Cryptodome.Cipher Module not found

With python3 the import need to be adjusted:

openwifipass/GrantorHandler.py:

-from Cryptodome.Cipher import ChaCha20_Poly1305
+from Crypto.Cipher import ChaCha20_Poly1305

Could not install packages due to an Environment error

└─# pip3 install ./openwifipass
Processing ./openwifipass
ERROR: Could not install packages due to an EnvironmentError: [('/root/openwifipass/.git/objects/pack/pack-0776f7e29fc2147c7836857a12651c0733bbaf06.pack', '/tmp/pip-req-build-91h8dqsg/.git/objects/pack/pack-0776f7e29fc2147c7836857a12651c0733bbaf06.pack', "[Errno 22] Invalid argument: '/root/openwifipass/.git/objects/pack/pack-0776f7e29fc2147c7836857a12651c0733bbaf06.pack'"), ('/root/openwifipass/.git/objects/pack/pack-0776f7e29fc2147c7836857a12651c0733bbaf06.idx', '/tmp/pip-req-build-91h8dqsg/.git/objects/pack/pack-0776f7e29fc2147c7836857a12651c0733bbaf06.idx', "[Errno 22] Invalid argument: '/root/openwifipass/.git/objects/pack/pack-0776f7e29fc2147c7836857a12651c0733bbaf06.idx'")]

Python throw AttributeError

charles@xavier-nvme:~$ sudo -E python3 -m openwifipass --ssid MySSID --psk 'testpassword'
[sudo] password for charles:
Start scanning...
SSID match in PWS advertisement from 5d:32:e4:bd:f0:3b
Connect to device 5d:32:e4:bd:f0:3b
Traceback (most recent call last):
File "/usr/lib/python3.6/runpy.py", line 197, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/usr/lib/python3.6/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/home/charles/.local/lib/python3.6/site-packages/openwifipass/main.py", line 31, in
main()
File "/home/charles/.local/lib/python3.6/site-packages/openwifipass/main.py", line 27, in main
startPWS(scanResult.addr, args.ssid, args.psk)
File "/home/charles/.local/lib/python3.6/site-packages/openwifipass/Connection.py", line 95, in startPWS
grantorHandler = GrantorHandler(ssid, psk)
File "/home/charles/.local/lib/python3.6/site-packages/openwifipass/GrantorHandler.py", line 17, in init
self.session_keys = SessionKeys()
File "/home/charles/.local/lib/python3.6/site-packages/openwifipass/Keys.py", line 9, in init
encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw
File "/usr/lib/python3.6/enum.py", line 429, in getattr
raise AttributeError(name) from None
AttributeError: Raw

PSK with $ does not work

When using a $ from cmdline, the $ will be handled as a variable, as expected. Unfortunately, quotes around the psk string does not work.

sudo -E python3 -m openwifipass --ssid WIFI --psk abc$def

The only way for me to get it working was to escape the dollar sign:

sudo -E python3 -m openwifipass --ssid WIFI --psk abc$def

As this is not a python issue, but rather a cmdline topic, I think it may be good to always expect the psk with single quotes as it is quite likely to contain a $.

And many, many thanks for this awesome tool.

Device disconnects mid-transfer

I tried using this with an iPod touch running iOS 14.4, but this happened:

Start scanning...
SSID match in PWS advertisement from 61:48:a1:38:83:f5
Connect to device 61:48:a1:38:83:f5
Send PWS1
Receive PWS2
Send M1
Traceback (most recent call last):
  File "/usr/lib/python3.7/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/usr/lib/python3.7/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/home/pi/.local/lib/python3.7/site-packages/openwifipass/__main__.py", line 31, in <module>
    sys.exit(main())
  File "/home/pi/.local/lib/python3.7/site-packages/openwifipass/__main__.py", line 27, in main
    startPWS(scanResult.addr, args.ssid, args.psk)
  File "/home/pi/.local/lib/python3.7/site-packages/openwifipass/Connection.py", line 117, in startPWS
    while peripheral.waitForNotifications(2):
  File "/home/pi/.local/lib/python3.7/site-packages/bluepy/btle.py", line 560, in waitForNotifications
    resp = self._getResp(['ntfy','ind'], timeout)
  File "/home/pi/.local/lib/python3.7/site-packages/bluepy/btle.py", line 407, in _getResp
    resp = self._waitResp(wantType + ['ntfy', 'ind'], timeout)
  File "/home/pi/.local/lib/python3.7/site-packages/bluepy/btle.py", line 362, in _waitResp
    raise BTLEDisconnectError("Device disconnected", resp)
bluepy.btle.BTLEDisconnectError: Device disconnected

Can you help out? Thanks!