Security researchers found a flaw with Apple’s AirDrop software that could expose personal information, but claim Apple hasn’t addressed the problem despite knowing about it since 2019.
Researchers at TU Darmstadt discovered that the process AirDrop uses to verify users can also expose personal information. AirDrop, if you haven’t used it, is a wireless communication technology used by Apple devices like iPhones and MacBooks to share files between devices.
AirDrop has three main ‘discovery’ settings that determine who can AirDrop you. Users can set AirDrop receiving to ‘off’ if they don’t want to receive files, ‘Everyone’ if they want to allow anyone nearby to send them files, or ‘Contacts only,’ which restricts AirDrop to functionality to people in your address book. That last mode is the default setting and also the one with the security flaw.
The researchers found that the verification mechanism that checks to see if both the sender and receiver are in each other’s address books could expose information like phone numbers and email addresses.
“The discovered problems are rooted in Apple’s use of hash functions for ‘obfuscating’ the exchanged phone numbers and email addresses during the discovery process,” the researchers explained in a blog post.
“However, researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.”
In other words, AirDrop uses a ‘hash function’ to disguise a user’s phone number and email address and then sends it to another device to verify if the information is in that device’s address book. But, that process can be easily reversed to reveal the phone number and email address.
Further, the researchers claim that an attacker only needs a few things to obtain this information: a Wi-Fi capable device, physical proximity to the target and for the target to initiate the discovery process by opening the sharing pane on an iOS or macOS device.
Worse, the researchers say they notified Apple about the vulnerability in May 2019 via responsible disclosure, but that Apple has not yet acknowledged the problem are indicated they’re working on a solution. Additionally, the researchers shared that they created a version of AirDrop dubbed ‘PrivateDrop’ that fixes the issue without significantly impacting AirDrop performance.
If you’re concerned about your information, the researchers note that you can protect yourself by disabling AirDrop (Settings > General >AirDrop > Select ‘Receiving Off’) or by avoiding opening the iOS share menu.