Researchers Discover AirDrop Security Flaw That Could Expose Personal Data to Strangers

AirDrop is a feature that allows Apple devices to securely and conveniently transfer files, photos, and more between each other wirelessly. Users can share items with their own devices, friends, family, or even strangers. The convenience and ease of use, however, may be undermined by a newly discovered security flaw.

airdrop logo
Researchers at TU Darmstadt have discovered that the process which AirDrop uses to find and verify someone is a contact on a receiver's phone can expose private information. AirDrop includes three modes; Receiving Off, Contacts Only, Everyone. The default setting is Contacts Only, which means only people within your address book can AirDrop photos, files, and more to your device.

The researchers discovered that the mutual authentication mechanism that confirms both the receiver and sender are on each other's address book could be used to expose private information. The researchers claim that a stranger can use the mechanism and its process within the range of an iOS or macOS device with the share panel open to obtain private information. As the researchers explain:

As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.

The discovered problems are rooted in Apple's use of hash functions for "obfuscating" the exchanged phone numbers and email addresses during the discovery process. However, researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.

To determine whether the other party is a contact, AirDrop uses a mutual authentication mechanism that compares a user's phone number and email address with entries in the other user's address book.

According to the researchers, Apple was informed of the flaw in May of 2019, and despite several software updates since then, the flaw remains.

Tag: AirDrop

Popular Stories

iPhone 17 Pro Lower Logo Feature 1

iPhone 17 Pro Coming Soon With These 14 New Features

Monday June 30, 2025 1:08 pm PDT by
Apple's next-generation iPhone 17 Pro and iPhone 17 Pro Max are less than three months away, and there are plenty of rumors about the devices. Apple is expected to launch the iPhone 17, iPhone 17 Air, iPhone 17 Pro, and iPhone 17 Pro Max in September this year. Below, we recap key changes rumored for the iPhone 17 Pro models:Aluminum frame: iPhone 17 Pro models are rumored to have an...
A18 Pro Chip

New MacBook With A18 Pro Chip Spotted in Apple Code

Monday June 30, 2025 8:05 am PDT by
Apple is developing a MacBook with the A18 Pro chip, according to findings in backend code uncovered by MacRumors. Earlier today, Apple analyst Ming-Chi Kuo reported that Apple is planning to launch a low-cost MacBook powered by an iPhone chip. The machine is expected to feature a 13-inch display, the A18 Pro chip, and color options that include silver, blue, pink, and yellow. MacRumors...
iPhone Car Key WWDC 2025

Apple Announces 13 Automakers Planning to Offer iPhone Car Keys

Friday June 27, 2025 11:42 am PDT by
In 2020, Apple added a digital car key feature to its Wallet app, allowing users to lock, unlock, and start a compatible vehicle with an iPhone or Apple Watch. The feature is currently offered by select automakers, including Audi, BMW, Hyundai, Kia, Genesis, Mercedes-Benz, Volvo, and a handful of others, and it is set to expand further. During its WWDC 2025 keynote, Apple said that 13...
maxresdefault

Five Features Coming to AirPods Pro 3

Friday June 27, 2025 10:52 am PDT by
Apple hasn't updated the AirPods Pro since 2022, and the earbuds are due for a refresh. We're counting on a new model this year, and we've seen several hints of new AirPods tucked away in Apple's code. Rumors suggest that Apple has some exciting new features planned that will make it worthwhile to upgrade to the latest model. Subscribe to the MacRumors YouTube channel for more videos. Heal...
macbook air spacegray purple

Apple Planning to Launch Low-Cost MacBook Powered By iPhone Chip

Monday June 30, 2025 3:20 am PDT by
Apple is planning to launch a low-cost MacBook powered by an iPhone chip, according to Apple analyst Ming-Chi Kuo. In an article published on X, Kuo explained that the device will feature a 13-inch display and the A18 Pro chip, making it the first Mac powered by an iPhone chip. The A18 Pro chip debuted in the iPhone 16 Pro last year. To date, all Apple silicon Macs have contained M-series...
anker power bank recall

PSA: Anker Recalls Multiple Power Banks Due to Fire Risk

Friday June 27, 2025 4:16 pm PDT by
Popular accessory maker Anker this month launched two separate recalls for its power banks, some of which may be a fire risk. The first recall affects Anker PowerCore 10000 Power Banks sold between June 1, 2016 and December 31, 2022 in the United States. Anker says that these power banks have a "potential issue" with the battery inside, which can lead to overheating, melting of plastic...
Chase Sapphire Reserve Apple Perk Feature

Chase Sapphire Reserve Card Introduces New Perk for Apple Customers

Wednesday June 25, 2025 2:08 pm PDT by
Chase this week announced a series of new perks for its premium Sapphire Reserve credit card, and one of them is for a pair of Apple services. Specifically, the credit card now offers complimentary annual subscriptions to Apple TV+ and Apple Music, a value of up to $250 per year. If you are already paying for Apple TV+ and/or Apple Music directly through Apple, those subscriptions will...
replay all time playlist apple music

Apple Music Debuts All-New Personalized Playlist

Monday June 30, 2025 7:16 am PDT by
As part of its 10-year celebrations of Apple Music, Apple today released an all-new personalized playlist that collates your entire listening history. The playlist, called "Replay All Time," expands on Apple Music's existing Replay features. Previously, users could only see their top songs for each individual calendar year that they've been subscribed to Apple Music, but now, Replay All...

Top Rated Comments

Apple_Robert Avatar
55 months ago
This is not good. If Apple was in fact informed specifically about this vulnerability in 2019, I take umbrage with Apple not having taken the proper steps to secure AirDrop.
Score: 12 Votes (Like | Disagree)
dannyyankou Avatar
55 months ago

According to the researchers, Apple was informed of the flaw in May of 2019, and despite several software updates since then, the flaw remains. We've reached out to Apple for comment and will update this article if we hear back.
I’m sure now that they made this public, Apple will move with more urgency. Apple is usually better fixing security flaws, I’m disappointed.
Score: 9 Votes (Like | Disagree)
Unregistered 4U Avatar
55 months ago

And that is the SIMPLE process. Why is this even news?
Because there’s really very little “security” news that’s even worth reporting, but the researchers still need attention and validation. But, their reports are of the sort that remind me my home has a security hole in that my chimney provides access to my house once you tear down the external facing wall. However, very few people are concerned by or will do anything about this vulnerability. My garage door? COMPLETELY vulnerable to a brute force attack by a tank. Why won’t garage door manufacturers DO anything about this?
Score: 8 Votes (Like | Disagree)
Unregistered 4U Avatar
55 months ago

Yeah that doesn’t sound great. I wonder how many bad actors there actually are out there taking advantage of this loophole though?

Even though this obviously needs to be patched, does anyone seriously believe that any "bad actor" is going to go through this much work so he can sit in a Starbucks and steal someone's phone number? :)
No :) Folks need to remember that their life REALLY isn’t actually all that interesting, anyone interested IN their information is not going to waste time on an AirDrop brute force hack. If they are THAT close and REAAAAAALLLLY want your information, they can readily get access to it using one of the devices below.


Attachment Image
Score: 8 Votes (Like | Disagree)
13astion Avatar
55 months ago

This is not good. If Apple was in fact informed specifically about this vulnerability in 2019, I take umbrage with Apple not having taken the proper steps to secure Handoff.
It’s AirDrop, not Handoff. The latter is used by ONE user to transfer control or data between multiple devices that are already in their control (and logged into).

AirDrop allows TWO different users logged into TWO devices under their own control to share data. Hence the need for authentication.

And the attack vector is super specific... a black hat *physically nearby* has to try to grab your data while you initiate the AirDrops (and I would guess most AirDrops are small things: a contact card, a photo, a doc... all which take seconds to transfer), and THEN brute force the hashes... for what? A bit of stolen PII?

Yes, it’s *possible* for someone to do this... but *probable*? Naahh. Which is why Apple hasn’t prioritized it. In risk management you have to prioritize the risks by probability and impact... this one is pretty low on both counts.
Score: 7 Votes (Like | Disagree)
ikramerica Avatar
55 months ago

Namely, their email address and telephone number. Not their bank account data, not their social security number. Notice how they obfuscate “PRIVATE DATA OOOH SCARY” from what’s actually shared.

There is a VERY VERY good chance that your “private data” in this case is already on a list some ne’er do well purchased last month… and they didn’t even have to be within AirDrop range to get it! Next they’ll be reporting that
“Folks can gain access to your email address by ASKING you for it. If you fall for the exploit and provide them with your email address THEY WILL HAVE IT!! We reached out to Apple asking if they plan to stop providing email addresses so that people aren’t able to leak them and they looked at us funny and shooed us away.”
I am pretty sure you can get all that juicy data by putting a name in a google search. Plus home address, previous addresses, criminal record, etc.

I do think the odds of someone brute forcing an airdrop in close
proximity to you in order to discover your phone number and email is pretty remote. One assumes that if they are going to all that effort to target you, they already know your name.

One question for the researchers: does this mean turning on “everyone” is more secure as no matching is attempted?
Score: 7 Votes (Like | Disagree)