Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple AirPlay Private Key Exposed

Posted by CmdrTaco on from the i-see-what-you-did-there dept.

An anonymous reader writes "James Laird has reverse engineered the Airport Express private key and published an open source AirPort Express emulator. 'My girlfriend moved house, and her Airport Express no longer made it with her wireless access point. I figured it'd be easy to find an ApEx emulator — there are several open source apps out there to play to them. However, I was disappointed to find that Apple used a public-key crypto scheme, and there's a private key hiding inside the ApEx. So I took it apart (I still have scars from opening the glued case!), dumped the ROM, and reverse engineered the keys out of it.'"

40 of 306 comments (clear)

  1. Apple-time by sanosuke001 · · Score: 3, Interesting

    Apple is going to make life a royal pain in the ass for this guy for releasing this publicly...

    --
    -SaNo
    1. Re:Apple-time by Mia'cova · · Score: 5, Funny

      Let's see someone add airplay support to the ps3. See how many companies can get pissed off at once. If you play it right, they could be goaded into fighting each other. Fingers crossed! Maybe these companies will finally deliver something entertaining to watch :)

    2. Re:Apple-time by jimicus · · Score: 3, Interesting

      Hmm.

      Music. Being streamed in realtime from one wireless device to another.

      Do you know, I rather suspect the reason for the encryption might be less to do with Apple and more to do with a certain industry we all love to hate. Last two initials of the organisation that represents them are AA.

    3. Re:Apple-time by ceoyoyo · · Score: 3

      Probably. The RIAA had a lot more clout against Apple when the airport express and AirTunes was introduced than they do now though. Apparently Apple isn't worried about the MPAA objecting to their recent negligence in not encrypting the video (and audio associated with video) portion of AirPlay.

  2. Please tell me by MarkRose · · Score: 5, Funny

    If you extract the ROM out of an Apple device, is that a core dump?

    --
    Be relentless!
  3. real easy innit by amn108 · · Score: 4, Funny

    I like how easy he makes it sound :-)

    Things you need to hack the Airport Express:

    1. Girlfriend
    2. A pinch of dissappointment
    3. Wilingness to break open glued Apple casing

    1. Re:real easy innit by BigDish · · Score: 4, Funny

      Have you ever tried to open one of the glued-together cases? That's by far more difficult than getting a girlfriend

    2. Re:real easy innit by gstoddart · · Score: 4, Funny

      1. Girlfriend
      2. A pinch of dissappointment

      Don't know about you, but I've found that #1 can lead to #2 -- and has on several occasions.

      --
      Lost at C:>. Found at C.
    3. Re:real easy innit by hoggoth · · Score: 3, Informative

      /g/=global, ie: substitute all, not just the first occurrence

      --
      - For the complete works of Shakespeare: cat /dev/random (may take some time)
    4. Re:real easy innit by erroneus · · Score: 3, Insightful

      I wouldn't. I've got a wife and I can tell you first hand, it's HARD to have a girlfriend and a wife.

    5. Re:real easy innit by clickclickdrone · · Score: 5, Funny

      >2. A pinch of dissappointment
      The considerably less lethal version of Spock's death grip.

      --
      I want a list of atrocities done in your name - Recoil
    6. Re:real easy innit by Lumpy · · Score: 4, Funny

      Not if you freeze them with dry ice and hit them with a hammer...

      Yes it works with glued together cases as well.

      --
      Do not look at laser with remaining good eye.
    7. Re:real easy innit by StikyPad · · Score: 3, Funny

      Marriage: It's a lot of work, but in the long run, eventually one of you dies.

      --
      https://www.eff.org/https-everywhere
  4. Open source win by jhigh · · Score: 4, Insightful

    Score one for the good guys. This is just further proof that security through obscurity is a myth. You cannot expect that keeping everything locked inside your proprietary case is going to keep it secure. The best security is sunlight. Let the community poke and prod at your software and/or hardware and it will only improve your offering.

    --
    Social Engineering Expert: Because there is no patch for stupidity.
    1. Re:Open source win by agentgonzo · · Score: 4, Insightful

      This is just further proof that security through obscurity is a myth.

      Unfortunately, you can boil the entirety of information theory to 'security through obscurity'. Airplay uses public key encryption and is in that sense 'secure'. Everything that needs to read the encrypted content (in this case the airplay device) needs to have the key to decrypt it. Thus you can argue that the whole system is 'security through obscurity' because it is relying on the 'obscurity' of the private key that the end-user can't get access to (unless the pry it open with a butterknife and dump the ROM).

  5. DMCA violation by sideslash · · Score: 3, Insightful

    This guy should just meekly accept that his girlfriend's expensive gadgets don't work for her anymore. How dare he tinker around and fix things. (At least I think they imported some flavor of the DMCA down under.)

  6. open-source library sharing incoming? by gblues · · Score: 3, Interesting

    Does this mean we can finally get an iTunes-alike that can work with iTunes 7+ library sharing?

  7. Re:Editor ? by Majik+Sheff · · Score: 4, Funny

    Two things that appear to be true about the author of the article and not about you:

    1. The author's first language was not English
    2. The author has a girlfriend.

    Between English tenses and a hot European chick, I know which one I'd prefer to be conjugating.

    --
    Women are like electronics: you don't know how damaged they are until you try to turn them on.
  8. Re:Slashdotter already by Anonymous Coward · · Score: 5, Informative

    Here's the key on the VideoLan boards.

    Airport RSA Key

  9. posted to vlc-devel list by pinkishpunk · · Score: 5, Informative

    he did a post to the vlc-devel list here, http://mailman.videolan.org/pipermail/vlc-devel/2011-April/079616.html It private rsa key is there, might be a good thing to download, if you are worried apple might do something stupid.

  10. SHAirport 0.01 backup copy by pixline · · Score: 3, Informative

    Here's the code you would have find on that page. I saved it earlier, here you go: http://www.multiupload.com/0EUN2QKDMT (Yes, it does include something like a private key. Don't ask me if it's THAT key, I don't know.)

  11. The best part by AK76 · · Score: 5, Interesting

    From the README:
    "Thanks also to Apple for obfuscating the private key in the ROM image, using a
    scheme that made the deobfuscation code itself stand out like a flare."

  12. Re:and how many people use Airport? by characterZer0 · · Score: 5, Interesting

    I bought one once. I set up the network for a small organization and every time there was any kind of problem they blamed the WiFi router and called me. I bought a Airport and threw that in there instead. Now they have just as many problems but they assume that the Apple product cannot possibly be the issue, and I have not received a complaint from them since. It has been a almost two years. It was well worth the $180 to me.

    --
    Go green: turn off your refrigerator.
  13. Re:Slashdotter already by Hazel+Bergeron · · Score: 5, Informative

    And here's a post which may or may not receive a takedown notice from Apple. Remove the extra spaces inserted to evade the lameness filter.

    -----BEGIN RSA PRIVATE KEY-----
    MIIEpQIBAAKCAQEA59dE8qLie ItsH1WgjrcFRKj6eUWqi+bGLOX1HL3U3GhC/j0Qg90u3sG/1CUt
    wC5vOYvfDmFI6oSFXi5ELabWJ mT2dKHzBJKa3k9ok+8t9ucRqMd6DZHJ2YCCLlDRKSKv6kDqnw4U
    wPdpOMXziC/AMj3Z/lUVX1G7W SHCAWKf1zNS1eLvqr+boEjXuBOitnZ/bDzPHrTOZz0Dew0uowxf /+sG+NCK3eQJVxqcaJ/vEHKIVd 2M+5qL71yJQ+87X6oV3eaYvt3zWZYD6z5vYTcrtij2VZ9Zmni/
    UAaHqn9JdsBWLUEpVviYnhimN VvYFZeCXg/IdTQ+x4IRdiXNv5hEewIDAQABAoIBAQDl8Axy9XfW
    BLmkzkEiqoSwF0PsmVrPzH9Ks nwLGH+QZlvjWd8SWYGN7u1507HvhF5N3drJoVU3O14nDY4TFQAa
    LlJ9VM35AApXaLyY1ERrN7u9AL Kd2LUwYhM7Km539O4yUFYikE2nIPscEsA5ltpxOgUGCY7b7ez5
    NtD6nL1ZKauw7aNXmVAvmJTcuP xWmoktF3gDJKK2wxZuNGcJE0uFQEG4Z3BrWP7yoNuSK3dii2jm
    lpPHr0O/KnPQtzI3eguhe0TwUem/e YSdyzMyVx/YpwkzwtYL3sR5k0o9rKQLtvLzfAqdBxBurciz
    aaA/L0HIgAmOit1GJA2saMxTVPNh AoGBAPfgv1oeZxgxmotiCcMXFEQEWflzhWYTsXrhUIuz5jFu
    a39GLS99ZEErhLdrwj8rDDViRVJ5s kOp9zFvlYAHs0xh92ji1E7V/ysnKBfsMrPkk5KSKPrnjndM
    oPdevWnVkgJ5jxFuNgxkOLMuG9i53 B4yMvDTCRiIPMQ++N2iLDaRAoGBAO9v//mU8eVkQaoANf0Z
    oMjW8CN4xwWA2cSEIHkd9AfFkftuv8 oyLDCG3ZAf0vrhrrtkrfa7ef+AUb69DNggq4mHQAYBp7L+
    k5DKzJrKuO0r+R0YbY9pZD1+/g9dVt9 1d6LQNepUE/yY2PP5CNoFmjedpLHMOPFdVgqDzDFxU8hL
    AoGBANDrr7xAJbqBjHVwIzQ4To9pb4B NeqDndk5Qe7fT3+/H1njGaC0/rXE0Qb7q5ySgnsCb3DvA
    cJyRM9SJ7OKlGt0FMSdJD5KG0XPIpA VNwgpXXH5MDJg09KHeh0kXo+QA6viFBi21y340NonnEfdf
    54PX4ZGS/Xac1UK+pLkBB+zRAoGAf0 AY3H3qKS2lMEI4bzEFoHeK3G895pDaK3TFBVmD7fV0Zhov
    17fegFPMwOII8MisYm9ZfT2Z0s5Ro3s5r kt+nvLAdfC/PYPKzTLalpGSwomSNYJcB9HNMlmhkGzc
    1JnLYT4iyUyx6pcZBmCd8bD0iwY/FzcgN DaUmbX9+XDvRA0CgYEAkE7pIPlE71qvfJQgoA9em0gI
    LAuE4Pu13aKiJnfft7hIjbK+5kyb3TysZvoyD nb3HOKvInK7vXbKuU4ISgxB2bB3HcYzQMGsz1qJ
    2gG0N5hvJpzwwhbhXqFKA4zaaSrw622wD niAK5MlIE0tIAKKP4yxNGjoD2QYjhBGuhvkWKaXTyY=
    -----END RSA PRIVATE KEY-----

  14. Link to the source code and perl script by sheetzam · · Score: 4, Informative

    http://mafipulation.org/static/shairport-0.02.tar.gz. c source code and perl script included. Link still working as I post this.

    --
    "Actually, I enjoyed this in the same vague, horrible way I enjoyed the A-Team" P. Opus
  15. Re:Good guys? Really? by Squiggle · · Score: 5, Insightful

    You're pro-open source, so that makes you a "good guy"? I like chocolate, you like vanilla, ergo, I am good, you are bad.

    Does being pro-freedom make you a good guy? Does believing that everyone should have free access make you a good guy? Does helping your others make you a good guy?

    Free software ideology isn't about the end product, it isn't chocolate versus vanilla, it is about process and access: how do we choose what gets made, how do we make it, who gets to make it and who gets access to what has been made?

    --
    Complexity Happens
  16. What does it do? by the_other_chewey · · Score: 3, Interesting

    Could someone familiar with Apple stuff please explain
    what exactly this key is for?

    Why would a wifi AP need a secret key?

    1. Re:What does it do? by ceoyoyo · · Score: 5, Informative

      The Airport Express AP has an audio out jack. An iPhone, iPod Touch, iPad or iTunes can route music to that device. Unfortunately when it was introduced Apple decided to encrypt the stream so only Airport Expresses were valid receivers. Now anything that has a network connection and can run a program can be the receiver.

  17. Re:Slashdotter already by Fex303 · · Score: 4, Funny

    That's amazing! I've got the same combination on my luggage!

  18. Re:Slashdotter already by Shakrai · · Score: 5, Funny

    No one time pad. Less space than a TrueCrypt container. Lame.

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  19. Re:Good guys? Really? by Hijacked+Public · · Score: 4, Insightful

    how do we choose what gets made

    By either making it yourself, or by purchasing something made by someone else only when it fits all your particular requirements.

    how do we make it, who gets to make it and who gets access to what has been made?

    If you truly value freedom, and not just freedom for you and those who agree with your particular worldview, you don't 'choose' those things. You allow people to be free to make whatever they like however they like and you react to those choices as above.

    Apple's products are Apple's right up to the point where they sell them to you. If they choose to not make the source code for their software available and sell it only as a compiled version, that is their choice. If they choose to offer only their own means on installing additional software, their choice.

    To argue they should be obligated differently is fine with me, but to cloak that under the guise of promoting 'freedom' is not.

    --
    "Sacrifice for the good of The State" - The State
  20. Re:Cue lawsuit in ... by jrumney · · Score: 5, Informative

    The DCMA has an exception for reverse engineering for compatibility. In this case, the private key is not protecting content, it is protecting Apple's monopoly on interoperating with iDevices in a particular way, so it was fair game.

  21. Re:and how many people use Airport? by snowraver1 · · Score: 3, Funny

    I replaced my wife with a laptop too! The sex has never been better!

    --
    Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
  22. Getting iTunes to talk to remote speakers by martijnd · · Score: 4, Informative

    From: http://www.cocoadev.com/index.pl?AirTunesEncryption

    The Apple-Challenge / Apple-Response is iTunes' method to verify that it's talking to an Airport Express; it may be similar to the DAAP one which has been reverse-engineered. These headers are optional when talking to the Airport Express, so it's possible for other programs to talk to the Express but it'll be difficult to get iTunes to talk to something other than the Airport Express.

    Until we get the private key out of the AirPortExpress, it's not possible to convince iTunes to send anything to a non-AirPortExpress client (say, another computer pretending to be an AirPortExpress).

    Seems that problem has now been solved.

  23. Re:Slashdotter already by hey! · · Score: 5, Funny

    Thanks for that. One thing about getting older is that your memory doesn't dish up all the bits you need on time. So you end up having conversations like this:

    Me: Hahaha!
    Wife: What's so funny?
    Me: Look what this guy wrote: 'That's amazing! I've got the same combination on my luggage!' Haha!
    Wife: Why is that funny?
    Me [frowning]: I don't know.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  24. Re:Slashdotter already by capmilk · · Score: 4, Funny

    What the hell do you have in your luggage that needs THAT?!?

    An Airport Express Station.

  25. Look at the forest, not the trees by awtbfb · · Score: 3, Interesting

    Everyone is looking at the tree, not the forest. While everyone is going to jump on the "Apple did this to make money" argument, you know a major reason for this key was Apple's way of keeping content providers happy. Now that it's broken, there is a new "analog hole" for audio and video content. It is easy to imagine a computer using this to create a digital media file rather than routing to speakers. I suspect it won't be long before content providers pressure Apple into using secondary data to confirm iTunes is talking to a legit device.

    1. Re:Look at the forest, not the trees by PhunkySchtuff · · Score: 3, Interesting

      You can't stream video to an AirPort Express, so there's no new analog hole for video content.
      Even with protected audio content, you could still burn this to a CD as Red Book CDDA audio, which you could then freely "Rip, Mix, Burn" so it hasn't really enabled anything new for audio either.

      What it does allow for is replacing a dead AirPort Express with something more reliable. Those little fuckers (earlier models at least) had a very bad habit of just randomly dying, and usually after a bit more than one year old, conveniently out of warranty. The fault was 200V rated capacitors used in the power supply that were fine in a 110V supply area but eventually died when on 240V...

      --
      Specialist Mac support for creative pros, Melbourne
  26. Re:Slashdotter already by dgatwood · · Score: 3, Funny

    What is there to understand?

    His girlfriend was the director of programming for Fox and changed the time slot for House. This made her Airport Express mad at her, so it is withholding sex with her other wireless access point as punishment.

    I mean, jeez. How hard can it be to understand? Seems pretty straightforward to me.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  27. Re:Cue lawsuit in ... by Radium+Eyes · · Score: 3, Informative

    In this case, the private key is not protecting content

    It does protect content, somewhat—iTunes decrypts (and decompresses and recompresses as Apple Lossless) DRMed audio before sending it to an Airport Express. Emulating an Airport Express allows one to obtain the decrypted audio, though not in its original oompressed form; it's no more of a hole than burning to a CD.