Homekit Attacks: Phantom Device Injection | AIMF Security

🔐 Case Study: Homekit Attacks & Phantom Devices

Phantom Device Injection — rapportd DoS Vulnerability

Educational data flow diagrams for research discussion on how a phantom device was injected into an iCloud account, triggering an 8-day denial-of-service attack on macOS.

⚠️ UNPATCHED 📄 Hana Omori 🔍 CCPA Pending

1. Normal iCloud Device Authentication Flow

┌──────────────────────────┐      ┌──────────────────────────┐      ┌──────────────────────────┐
│                          │      │                          │      │                          │
│   USER'S DEVICE           │      │   APPLE ID AUTH SERVER   │      │   ICLOUD ACCOUNT         │
│                          │      │                          │      │                          │
└────────────┬─────────────┘      └────────────┬─────────────┘      └────────────┬─────────────┘
             │                                  │                                  │
             │                                  │                                  │
             │  1. Login with Apple ID + 2FA    │                                  │
             │ ────────────────────────────────►│                                  │
             │                                  │                                  │
             │                                  │  2. Verify credentials           │
             │                                  │ ────────────────────────────────►│
             │                                  │                                  │
             │                                  │  3. Add device to trusted list  │
             │                                  │ ◄────────────────────────────────│
             │                                  │                                  │
             │  4. Device now in Find My        │                                  │
             │ ◄────────────────────────────────│                                  │
             │                                  │                                  │

How device authentication should work: User initiates, 2FA required, device added with user's naming convention

🔐 Key Points

User initiates — Authentication starts from the user's device
2FA required — New devices must pass two-factor authentication
Correct naming — Device added with user's naming convention (lowercase "hana's")

2. Suspected Attack Flow (Phantom Device Injection)

┌────────────────────┐   ┌────────────────────┐   ┌────────────────────┐   ┌────────────────────┐
│                    │   │                    │   │                    │   │                    │
│   ATTACKER         │   │   VICTIM'S PHONE   │   │   APPLE ID AUTH    │   │   ICLOUD ACCOUNT   │
│                    │   │                    │   │                    │   │                    │
└─────────┬──────────┘   └─────────┬──────────┘   └─────────┬──────────┘   └─────────┬──────────┘
          │                        │                        │                        │
          │                        │                        │                        │
          │  1. Intercept via Stingray/Bluetooth            │                        │
          │ ─────────────────────► │                        │                        │
          │                        │                        │                        │
          │                        │                        │                        │
          │  2. Extract auth tokens/session                  │                        │
          │ ◄───────────────────── │                        │                        │
          │                        │                        │                        │
          │                        │                        │                        │
          │  3. Replay auth with phantom device details                              │
          │ ─────────────────────────────────────────────────────────────────────────►│
          │                        │                        │                        │
          │                        │                        │                        │
          │  4. Phantom device added: "Hana's" (not "hana's")                        │
          │                        │                        │ ◄──────────────────────│
          │                        │                        │                        │

Attacker intercepts via Stingray/Bluetooth, extracts tokens, replays auth with phantom device

🔴 Key Evidence

Wrong capitalization — Attacker used "Hana's" but victim uses "hana's"
Pixel correlation — Google Pixel 7 Pro briefly online Jan 25 — same day as estimated injection
No 2FA prompt — Victim never received a two-factor authentication request

3. rapportd DoS Loop (The Bug)

┌─────────────────────────────────────────────────────────────────────────────────────────────────┐
│                                        VICTIM'S MAC                                            │
├─────────────────────────────────────────────────────────────────────────────────────────────────┤
│                                                                                                 │
│   ┌────────────────────┐       ┌────────────────────┐       ┌────────────────────────────┐     │
│   │                    │       │                    │       │                            │     │
│   │   ICLOUD SYNC       │──────►│   RAPPORTD DAEMON   │──────►│   PHANTOM: "Hana's MBP"   │     │
│   │                    │       │                    │       │                            │     │
│   └────────────────────┘       └─────────┬──────────┘       └──────────────┬─────────────┘     │
│                                          │                                 │                   │
│                                          │                                 │                   │
│                                          │  Try to connect                │                   │
│                                          │ ───────────────────────────────►│                   │
│                                          │                                 │                   │
│                                          │  ❌ UNREACHABLE                 │                   │
│                                          │ ◄───────────────────────────────│                   │
│                                          │                                 │                   │
│                                          │  ⚠️ NO BACKOFF - Retry NOW      │                   │
│                                          │ ───────────────────────────────►│                   │
│                                          │                                 │                   │
│                                          │  ❌ UNREACHABLE                 │                   │
│                                          │ ◄───────────────────────────────│                   │
│                                          │                                 │                   │
│                                          │  ♾️ INFINITE LOOP               │                   │
│                                          │  (8 days, 141,575 errors)       │                   │
│                                          │                                 │                   │
└─────────────────────────────────────────────────────────────────────────────────────────────────┘

The bug: rapportd has no exponential backoff or timeout — it retries forever

⚠️ The Vulnerability

No backoff — Immediate retry with no delay between attempts
No maximum — No limit on retry attempts
No timeout — Loops indefinitely until device is removed

Result: 8 days of DoS, 141,575 errors, 70x amplification

4. Evidence Destruction Flow

┌──────────────────────────────┐                              ┌──────────────────────────────┐
│                              │                              │                              │
│   VICTIM REMOVES PHANTOM      │                              │   ATTACKER MONITORING?        │
│                              │                              │                              │
└──────────────┬───────────────┘                              └──────────────┬───────────────┘
               │                                                             │
               │                                                             │
               │  23:37:00 - Remove phantom device from iCloud            │
               │ ───────────────────────────────────────────────────────────►│
               │                                                             │
               │  23:37:46 - Network disruption begins (46 sec later)       │
               │ ◄───────────────────────────────────────────────────────────│
               │                                                             │
               │  23:38:09 - Socket flows failed                           │
               │                                                             │
               │  23:38:22 - iCloud connection lost                        │
               │                                                             │
               │  23:38:48 - VPN tunnel stopped                            │
               │                                                             │
               │  ~23:40 - SYSTEM CRASH                                    │
               │  ════════════════════════════════════════════               │
               │  ❌ Logs from 23:37-23:40 DESTROYED                       │
               │  ❌ 30-day retention gap at this window                   │
               │  ❌ No forensic evidence of auth method                   │
               │                                                             │

Suspicious timing: Network disruption began 46 seconds after phantom removal

⏱️ Timeline of Destruction

Time	Event
23:37:00	Victim removes phantom device
23:37:46	Network disruption begins
23:38:09	Socket flows failed
23:38:22	iCloud connection lost
23:38:48	VPN tunnel stopped
~23:40	System crash — logs destroyed

Result: 30-day log retention shows gap exactly at resolution window.

5. OpenID Connect (OIDC) Attack Surface

┌─────────────────────────────────────────────────────────────────────────────────────────────────┐
│                                   OIDC AUTHENTICATION FLOW                                      │
└─────────────────────────────────────────────────────────────────────────────────────────────────┘

     ┌────────────────────────┐      ┌────────────────────────┐      ┌────────────────────────┐
     │                        │      │                        │      │                        │
     │   USER AGENT           │      │   RELYING PARTY         │      │   IDENTITY PROVIDER    │
     │   (Browser)            │      │   (App)                 │      │   (Apple / Google)     │
     │                        │      │                        │      │                        │
     └───────────┬────────────┘      └───────────┬────────────┘      └───────────┬────────────┘
                 │                               │                               │
                 │  1. Login request             │                               │
                 │ ─────────────────────────────►│                               │
                 │                               │                               │
                 │  2. Redirect to IdP           │                               │
                 │ ◄─────────────────────────────│                               │
                 │                               │                               │
                 │  3. Authenticate with IdP                                     │
                 │ ─────────────────────────────────────────────────────────────►│
                 │                               │                               │
                 │  4. ID Token (JWT)                                            │
                 │ ◄─────────────────────────────────────────────────────────────│
                 │                               │                               │
                 │  5. Token to RP               │                               │
                 │ ─────────────────────────────►│                               │
                 │                               │                               │
                 │                               │  6. Validate token           │
                 │                               │ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ►│
                 │                               │                               │

⚠️ VULNERABILITY POINTS:
┌─────────────────────────────────────────────────────────────────────────────────────────────────┐
│  • Token confusion: Relying party accepts token from wrong issuer                            │
│  • Mutable ID: Using email instead of stable `sub` claim                                     │
│  • Discovery attack: Trusting attacker-controlled metadata                                   │
│  • Session hijack: Stolen tokens replayed for device authentication                          │
└─────────────────────────────────────────────────────────────────────────────────────────────────┘

Both Apple and Google use OIDC — vulnerabilities in implementation can create cross-platform attack surfaces

🔗 Common OIDC Vulnerabilities

Token confusion — Relying party accepts token from wrong issuer
Mutable ID — Using email instead of stable sub claim
Discovery attack — Trusting attacker-controlled metadata
Session hijack — Stolen tokens replayed for device auth

6. Attack Timeline Visualization

Jan 25                                                                                    Feb 2
  │                                                                                         │
  ▼                                                                                         ▼
  ┌─────────────────────────────────────────────────────────────────────────────────────────┐
  │                                    8-DAY DoS WINDOW                                      │
  │                                                                                         │
  │   Pixel         Phantom           rapportd loop              Find My       Remove     │
  │   online        injected          ════════════════════      enabled       device     │
  │     │             │                      │                       │            │       │
  │     ▼             ▼                      ▼                       ▼            ▼       │
  │   11:49        ~12:00             141,575 errors              23:23        23:37     │
  │    AM                               70x baseline                                       │
  └─────────────────────────────────────────────────────────────────────────────────────────┘
                                              │
                                              ▼
                                    ┌─────────────────────┐
                                    │  LOOP STOPPED        │
                                    │  IMMEDIATELY         │
                                    └─────────────────────┘
                                              │
                                              ▼
                                    ┌─────────────────────┐
                                    │  46 sec later:       │
                                    │  Network attack      │
                                    │  + System crash      │
                                    └─────────────────────┘

8-day DoS window: Jan 25 (injection) → Feb 2 (removal) → Loop stopped instantly

📅 Key Moments

Date/Time	Event
Jan 25, 11:49 AM	Pixel 7 Pro briefly online
~Jan 25, 12:00	Phantom device injected
Jan 25 - Feb 2	141,575 rapportd errors (70x baseline)
Feb 2, 23:23	Find My Mac enabled — phantom discovered
Feb 2, 23:37	Phantom removed — loop stopped instantly

7. What We Need From Apple (CCPA Request)

┌─────────────────────────────────────────────────────────────────────────────────────────────────┐
│                                      CCPA DATA REQUEST                                         │
├─────────────────────────────────────────────────────────────────────────────────────────────────┤
│                                                                                                 │
│   REQUESTED DATA:                                                                              │
│   ┌─────────────────────────────────────────────────────────────────────────────────────────┐  │
│   │  • Device addition logs for "Hana's MacBook Pro"                                         │  │
│   │  • IP address used to add the device                                                     │  │
│   │  • Authentication method (was 2FA bypassed?)                                             │  │
│   │  • Session details (device/browser/API used)                                             │  │
│   │  • Account access logs Jan 1 - Feb 6, 2026                                               │  │
│   └─────────────────────────────────────────────────────────────────────────────────────────┘  │
│                                                                                                 │
│   DEADLINE: March 23, 2026 (45 days)                                                           │
│                                                                                                 │
│   IF DATA SHOWS:                                                                               │
│   ┌─────────────────────────────────────────────────────────────────────────────────────────┐  │
│   │  IP ≠ victim's known IPs      →   PROVES unauthorized access                            │  │
│   │  No 2FA in logs               →   PROVES bypass/compromise                              │  │
│   │  Device/browser mismatch      →   PROVES attacker fingerprint                           │  │
│   └─────────────────────────────────────────────────────────────────────────────────────────┘  │
│                                                                                                 │
└─────────────────────────────────────────────────────────────────────────────────────────────────┘

Apple's server logs can prove unauthorized access — awaiting CCPA response by March 23, 2026

📋 Requested Data

Device addition logs for "Hana's MacBook Pro"
IP address used to add the device
Authentication method (was 2FA bypassed?)
Session details (device/browser/API used)
Account access logs Jan 1 - Feb 6, 2026

What This Could Prove

IP ≠ victim's known IPs → Proves unauthorized access
No 2FA in logs → Proves bypass/compromise
Device/browser mismatch → Proves attacker fingerprint

Summary

Diagram	Key Insight
1. Normal Auth Flow	User initiates, 2FA required, correct naming
2. Attack Flow	Attacker intercepts, bypasses 2FA, wrong capitalization
3. rapportd Loop	No backoff = infinite DoS from phantom device
4. Evidence Destruction	Crash 46 sec after removal destroyed logs
5. OIDC Surface	Shared auth layer creates cross-platform risks
6. Timeline	8 days of DoS, stopped instantly on removal
7. CCPA Request	Apple's logs can prove unauthorized access

📚 Related Resources

Quick Links

Case Studies

Video Library

Defense Guides

About AIMF

About