Researchers Discover AirDrop Security Flaw That Could Expose Personal Data to Strangers
AirDrop is a feature that allows Apple devices to securely and conveniently transfer files, photos, and more between each other wirelessly. Users can share items with their own devices, friends, family, or even strangers. The convenience and ease of use, however, may be undermined by a newly discovered security flaw.
Researchers at TU Darmstadt have discovered that the process which AirDrop uses to find and verify someone is a contact on a receiver's phone can expose private information. AirDrop includes three modes; Receiving Off, Contacts Only, Everyone. The default setting is Contacts Only, which means only people within your address book can AirDrop photos, files, and more to your device.
The researchers discovered that the mutual authentication mechanism that confirms both the receiver and sender are on each other's address book could be used to expose private information. The researchers claim that a stranger can use the mechanism and its process within the range of an iOS or macOS device with the share panel open to obtain private information. As the researchers explain:
As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.
The discovered problems are rooted in Apple's use of hash functions for "obfuscating" the exchanged phone numbers and email addresses during the discovery process. However, researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.
To determine whether the other party is a contact, AirDrop uses a mutual authentication mechanism that compares a user's phone number and email address with entries in the other user's address book.
According to the researchers, Apple was informed of the flaw in May of 2019, and despite several software updates since then, the flaw remains.
Related Stories
Apple today seeded second release candidate versions of iOS and iPadOS 14.6 to developers for testing purposes, with the new software coming five days after Apple seeded the first release candidates.
iOS and iPadOS 14.6 can be downloaded through the Apple Developer Center or over the air after the proper profile has been installed on an iPhone or iPad.
iOS and iPadOS 14.6 add support for A...
Following today's release of iOS 14.5.1 and last week's release of iOS 14.5, Apple has stopped signing iOS 14.4.2, the previously available version of iOS 14 released on March 26. With iOS 14.4.2 no longer being signed, it is not possible to downgrade to iOS 14.4.2 from iOS 14.5 or iOS 14.5.1 if you've already updated your iPhone or iPad.
Apple routinely stops signing older versions of...
Apple today seeded release candidate versions of iOS and iPadOS 14.6 to developers for testing purposes, with the new software coming one week after Apple seeded the third iOS and iPadOS 14.6 updates.
iOS and iPadOS 14.6 can be downloaded through the Apple Developer Center or over the air after the proper profile has been installed on an iPhone or iPad.
iOS and iPadOS 14.6 add support for ...
Developers need to look out for "XcodeSpy," a malicious Xcode project that installs a custom variant of the "EggShell" backdoor on a macOS computer, according to new research shared today by SentinelOne (via Ars Technica).
Xcode is software designed for developers who want to write apps for the iOS and macOS platforms, and the malicious project that's circulating mirrors TabBarInteraction, a ...
macOS Big Sur 11.4, which was released this morning, addresses a zero-day vulnerability that could allow attackers to piggyback off of apps like Zoom, taking secret screenshots and surrepetiously recording the screen.
Jamf, a mobile device management company, today highlighted a security issue that allowed Privacy preferences to be bypassed, providing an attacker with Full Disk Access,...
Apple today seeded the third betas of new iOS and iPadOS 14.6 updates to developers for testing purposes, one week after seeding the second iOS and iPadOS 14.6 updates.
iOS and iPadOS 14.6 can be downloaded through the Apple Developer Center or over the air after the proper profile has been installed on an iPhone or iPad.
iOS and iPadOS 14.6 appear to be more minor changes focusing on...
Twitter today announced it will begin rolling out a new application process for account verification, allowing for qualifying individuals like government officials, journalists, athletes, and recognizable brands to apply for verified status.
Verified accounts have a blue checkmark icon next to their Twitter name, helping people distinguish the authenticity of accounts that are of public...
At WWDC, Apple announced that iCloud is getting a premium subscription tier called "iCloud+," which includes "Private Relay" that allows users to browse the web through Safari with all information leaving their device remaining encrypted and access to "Hide My Email." One of the headlining features for iCloud+ is Private Relay, which, similarly to a VPN, ensures that all traffic leaving a...
Popular Stories
Continuing the tradition set with the iPhone 13 Pro, only the highest-end iPhone 14 models will feature Apple's ProMotion display technology, according to a respected display analyst.
Ross Young, who on multiple occasions has detailed accurate information about Apple's future products, said in a tweet that ProMotion will not be expanded to the entire iPhone 14 lineup and will remain...
Apple's second-generation AirPods Pro could arrive alongside a new series of accessories, recent leaked images suggest.
Alleged leaked photos of the next-generation AirPods Pro obtained by MacRumors showed a charging case with a metal loop on the side for attaching a strap. Apple has not used this design for any of its other AirPod models and it is unclear why it would be added in this...
Much has been said about what consumers could see from Apple in 2022, but the company is also working on a handful of rumored products that aren't expected to be unveiled for at least another 12 months, and in some cases a lot longer. Of course, that's assuming they get released at all. Apple works on many potential products some of which ultimately never see the light of day. With that in...
A bug in WebKit's implementation of a JavaScript API called IndexedDB can reveal your recent browsing history and even your identity, according to a blog post shared on Friday by browser fingerprinting service FingerprintJS.
In a nutshell, the bug allows any website that uses IndexedDB to access the names of IndexedDB databases generated by other websites during a user's browsing session....
Apple is planning to release a fifth-generation iPad Air with similar features as the sixth-generation iPad mini, including an A15 Bionic chip, 12-megapixel Ultra Wide front camera with Center Stage support, 5G for cellular models, and Quad-LED True Tone flash, according to Japanese blog Mac Otakara.
Citing reliables sources in China, the report claims that the new iPad Air could be...
Netflix today updated the prices for its streaming plans, and all of its offerings are now more expensive. The Basic plan is now priced at $9.99 per month, the Standard plan is priced at $15.49 per month, and the Premium plan is priced at $19.99 per month.
The Basic plan is $1 more expensive, up from $8.99 per month. This plan allows users to watch on just one screen at a time, and it limits ...
Hole-punch? Pill? Hole-punch and pill? Rumors about what the front camera system on the iPhone 14 Pro will look like are evolving rapidly, and it now appears we might be getting a novel but potentially controversial design later this year.
Other major stories this week included some confusion and controversy about iCloud Private Relay being disabled for some T-Mobile customers, increasing...
Apple is rumored to announce four new iPhone 14 models in September, and ahead of time, analyst Jeff Pu has outlined his expectations for the devices.
In a research note with Haitong International Securities, obtained by MacRumors, Pu claimed that all iPhone 14 models will feature ProMotion displays, compared to only Pro models currently. ProMotion enables a variable refresh rate up to 120Hz ...
Top Rated Comments
AirDrop allows TWO different users logged into TWO devices under their own control to share data. Hence the need for authentication.
And the attack vector is super specific... a black hat *physically nearby* has to try to grab your data while you initiate the AirDrops (and I would guess most AirDrops are small things: a contact card, a photo, a doc... all which take seconds to transfer), and THEN brute force the hashes... for what? A bit of stolen PII?
Yes, it’s *possible* for someone to do this... but *probable*? Naahh. Which is why Apple hasn’t prioritized it. In risk management you have to prioritize the risks by probability and impact... this one is pretty low on both counts.
I do think the odds of someone brute forcing an airdrop in close
proximity to you in order to discover your phone number and email is pretty remote. One assumes that if they are going to all that effort to target you, they already know your name.
One question for the researchers: does this mean turning on “everyone” is more secure as no matching is attempted?