Empty plistlib.loads(response_bytes)

[etr450b]

Hi, I wanted to try the PoC which leaks phone numbers. After following the instructions and extracted the certificates I became able to identify devices that are in contacts only (but in my contacts) and extract their number but not the ones who are not in my contacts. When I try to do a: python3 -m opendrop find on those devices I got : 2021-05-17 17:15:15,764 DEBUG opendrop.client: /Discover request successful {'ReceiverComputerName': 'MacBook Pro of Joe'} Exception in thread Thread-3: Traceback (most recent call last): File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/threading.py", line 954, in _bootstrap_inner self.run() File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/threading.py", line 892, in run self._target(*self._args, **self._kwargs) File "/phone-number-opendrop/opendrop/opendrop/cli.py", line 152, in _send_discover receiver_name = client.send_discover() File "/phone-number-opendrop/opendrop/opendrop/client.py", line 148, in send_discover validation_record = response["ReceiverRecordData"] KeyError: 'ReceiverRecordData'

I modified the script to output the response (plistlib.loads(response_bytes)) but only get the ReceiverComputerName and nothing else.

Is there an issue with my certificates ? How can I fix this error.

Kindly

[schmittner]

This PoC (part 2) only works for devices that have the attacker as a contact.

[etr450b]

Workaround would be to spoof a fake number that the victim should have in their contacts (i.g. : voicemail...) or to try every existing number (as a sender) but would require a lot of time, am I right ?

[schmittner]

No that does not work as the receiver will check the contact identifiers in your Apple-signed certificate. And you have to prove ownership of the phone number or email address to Apple before they are included in your certificate.

[acheong08]

Thanks for the info. Had the same problem here.