projects | pushover | github | twitter | rss | contact

CVE-2019-8575: Apple AirPort Firmware Data Deletion Vulnerability

posted to writings on may 30th, 2019 with tags apple and security

On July 4th, 2018, I reported a security/privacy problem to Apple regarding the firmware on its now-discontinued AirPort wireless access points.

Per Apple's website, a "factory-default reset" of an AirPort should "remove any saved configurations and profiles" and should be sufficient for "selling or giving away your base station".

On at least AirPort Extreme AP firmware 7.7.9 and AirPort Express firmware 7.6.9 (the newest available for each device at the time of reporting), a "factory-default" reset just moves the configuration file to a new location on the device, and the old file and up to two additional previous configurations remain accessible on the device.

A new owner of a used Apple AirPort that has been "factory-default reset" with a vulnerable firmware version can still retrieve at least:

  • the previous owner's wireless network name,
  • the previous owner's wireless security (such as WPA2) key,
  • the previous owner's Apple ID (usually an e-mail address) and "infinite access token" if "Back to My Mac" had been enabled,
  • and any other configured ACP properties such as a RADIUS server IP and secret if WPA2 Enterprise was configured, though this is not very common.

The level of access granted to the account with just an Apple ID and "infinite access token" is unknown.

Background

After writing about enabling SSH on the AirPort access points back in June of last year, a reader reached out to me asking for a filesystem dump of one of them.

To make sure none of my private information would be left on the device dump, I did a "factory-default" reset of my device, then set it up as a new network in AirPort Utility with a unique network name and password.

I joined the wireless network, then enabled SSH on the AirPort access point and did a filesystem dump of it (via dd over SSH) and examined the filesystem image with strings.

To my surprise, my old network name was still in the image binary. Assuming it was just an unlinked file no longer referenced, I looked into which file the data was previously stored in, but discovered the file was not deleted.

A further investigation showed that there were files in /mnt/Flash named ACPData.bin.1, ACPData.bin.2, and ACPData.bin.3 which were backup copies of old configurations (the current one being ACPData.bin).

Details

Per the instructions on Apple's website, a "factory-default reset" of an AirPort can be done by disconnecting power, holding down the reset button, then reconnecting power while continuing to hold down the reset button for six seconds.

The AirPort Utility on macOS or iOS can be used to setup the AirPort with a new network name and WPA key. Once joined to the new network (assuming the AirPort is at 10.0.1.1), enable SSH on it and reboot it:

$ python -m acp -t 10.0.1.1 -p (password) --setprop dbug 0x3000
$ python -m acp -t 10.0.1.1 -p (password) --reboot

Then copy the ACPData.bin.1 file containing the previous configuration information (the current being at ACPData.bin and other previous configurations at ACPData.bin.2 and ACPData.bin.3.

$ scp root@10.0.1.1:/mnt/Flash/ACPData.bin.1 .

To find the previous owner's Apple ID ("user@example.com"):

$ strings ACPData.bin.1 | grep -A1 pappleID
pappleID
puser@example.com

To find the previous owner's wireless network name ("wifi"):

$ strings ACPData.bin.1 | grep -A1 praNm
praNm
pwifi

To find the previous owner's wireless network password ("password"):

$ strings ACPData.bin.1 | grep -A1 psyPW
psyPW
ppassword

An "infinite token" is available which may give some kind of access to the previous user's Apple account, but I have not investigated this. These two values are only present if the previous owner had logged into an Apple account and enabled Back to My Mac on the AirPort.

$ strings ACPData.bin.1 | grep -A1 pmmeBTMMInfiniteToken
pmmeBTMMInfiniteToken
pAQAAAABbPVeQoIF8o[snipped]

$ strings ACPData.bin.1 | grep -A1 purl
purl
phttps://p36-btmm.icloud.com:443/v1/hello

Workaround

When doing a factory reset, repeat the process at least three additional times to cycle the data out of ACPData.bin.3.

Resolution

Update AirPort devices to firmware 7.9.1 released May 30, 2019 which will properly erase the flash partition during a later factory reset. This firmware update also patches some other more critical kernel vulnerabilities. Apple security updates are available via the Software Update mechanism and manual download.

Note that just applying the firmware update does not delete old ACPData.bin.* files from previous factory resets.

If you've already sold or given away your old Airport devices before being able to update them to this new firmware, and your replacement access point uses the same WiFi network name and password, you may want to change them.

Timeline

2018-07-04 (+0d) - I reported the issue by e-mail to product-security@apple.com and received an auto-reply.

2018-07-05 (+1d) - I received a reply from Scotty of Apple Product Security confirming the issue, noting they do not automatically provide status updates.

2018-07-19 (+15d) - I e-mailed Apple Product Security for an update and received a reply from Scotty of Apple Product Security again stating they are investigating the issue.

2018-08-15 (+42d) - I e-mailed Apple Product Security for an update.

2018-08-22 (+49d) - I received a reply from Scotty of Apple Product Security again stating they are investigating the issue.

2018-10-01 (+89d) - I e-mailed Apple Product Security for an update.

2018-10-04 (+92d) - I received a reply from Scotty of Apple Product Security:

A security update for AirPort basestations is currently scheduled for release in early 2019 to address this issue. [...]

In the near term, we temporarily removed the “Factory-default reset” section from our support article at https://support.apple.com/HT201945. During our investigation, our team uncovered a workaround that allows users to fully erase the device by repeating the factory default reset process four times. While this is not the long-term plan to address this issue, our AppleCare Advisors have access to this information for customers that call in wanting to perform a factory default reset on their AirPort basestation."

2019-02-04 (+215d) - I e-mailed Apple Product Security for an update.

2019-02-08 (+219d) - I received a reply from Scotty of Apple Product Security stating he is looking into it.

2019-02-15 (+226d) - I had a conference call with Scotty of Product Security, an Airport firmware engineer, and a couple others from the privacy team at Apple, discussing disclosure and a timeline for a new firmware release. I asked what kind of access is granted by the "infinite token" stored on an Airport, but Scotty could not disclose any information about it. I reiterated my concern for a timely disclosure as these devices are now being cycled out of production due to their age and my concern that customers need a fix before they get rid of their devices.

2019-03-26 (+265d) - I received a pre-release version of a firmware update and confirmed that doing a factory reset after applying the update does delete the old ACPData.bin files. The entire flash device mounted at /mnt/Flash is now erased during a factory reset.

2019-04-29 (+299d) - I e-mailed Apple Product Security for an update.

2019-05-14 (+314d) - I received a reply from Scotty of Apple Product Security with a public release date estimation for the new firmware.

2019-05-17 (+316d) - I received an e-mail from Apple Product Security indicating this vulnerability has been assigned CVE-2019-8575.

2019-05-30 (+329d) - I received Apple's announcement e-mail of the public release of firmware 7.9.1.

Comments? Contact me via Twitter or e-mail.