ToothPicker: Apple Picking in the iOS Bluetooth Stack


Dennis Heinze, TU Darmstadt, Secure Mobile Networking Lab and ERNW GmbH; Jiska Classen and Matthias Hollick, TU Darmstadt, Secure Mobile Networking Lab


Bluetooth enables basic communication prior to pairing as well as low-energy information exchange with multiple devices. The Apple ecosystem is extensively using Bluetooth for coordination tasks that run in the background and enable seamless device handover. To this end, Apple established proprietary protocols. Since their implementation is closed-source and over-the-air fuzzers are very limited, these protocols are largely unexplored and not publicly tested for security. In this paper, we summarize the current state of Apple's Bluetooth protocols. Based on this, we build the iOS in-process fuzzer ToothPicker and evaluate the implementation security of these protocols. We find a zero-click Remote Code Execution (RCE) that was fixed in iOS 13.5 and simple crashes.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {257184,
author = {Dennis Heinze and Jiska Classen and Matthias Hollick},
title = {ToothPicker: Apple Picking in the iOS Bluetooth Stack},
booktitle = {14th {USENIX} Workshop on Offensive Technologies ({WOOT} 20)},
year = {2020},
url = {},
publisher = {{USENIX} Association},
month = aug,

Presentation Video