Apple’s AirDrop feature is a convenient way to share files between the company’s devices, but security researchers at the Darmstadt University of Technology in Germany caution that you can share more than just files.
Researchers say strangers can find the phone number and email of any nearby AirDrop user. All a bad actor needs is a device with Wi-Fi, and it needs to be physically close. Then they can simply open the AirDrop sharing panel on the iOS or macOS device. Based on their findings, if you enable this feature, you don’t even need to start or participate in any trade to be at risk.
The problem is caused by the AirDrop “Contacts only” option. The researchers said that to determine if an AirDrop user is in their contacts, it uses a “mutual authentication mechanism” to cross-reference the user’s phone number and email with other contact lists. Now, Apple isn’t just doing this. Use encryption for this exchange. The problem is that the hash used by Apple can obviously be decrypted using “simple techniques, such as brute force attacks.” It is not clear from the research what level of computing power is required to force the use of Apple’s hash value.
A security breach does not necessarily mean that the company is not doing its job well. Independent security researchers have been uncovering vulnerabilities, and most of the major high-tech companies have a system that can report, fix, and then reveal these vulnerabilities. Oftentimes, we didn’t find out about these security risks until the company fixed them. In this case, it is concerning that TU researchers said they introduced this privacy vulnerability to Apple in May 2019. It was almost two years ago. So far, Apple “has not acknowledged the problem or stated that they are working on a solution.” According to the researchers, this means that 1.5 billion Apple devices can still easily be affected by this specific flaw.
Given that the TU researchers claimed that they also provided Apple with a possible solution called “PrivateDrop,” this is concerning. The researchers say that although they don’t provide much detail, PrivateDrop relies on an encryption protocol that does not rely on the exchange of vulnerable hashes. This is said to make everyone enjoy the convenience of AirDrop, and the authentication delay is “much less than a second.”
Apple appreciates your commitment to protecting consumer privacy and the security of their devices. (See: privacy labels to be used in iOS 14.5, security areas in your SoC and other content). But the researchers say that if you don’t want to take chances, the only solution right now is to disable AirDrop in the “System Settings” Don’t open the AirDrop sharing panel.