Researchers Discover AirDrop Security Flaw That Could Expose Personal Data to Strangers

AirDrop is a feature that allows Apple devices to securely and conveniently transfer files, photos, and more between each other wirelessly. Users can share items with their own devices, friends, family, or even strangers. The convenience and ease of use, however, may be undermined by a newly discovered security flaw.

airdrop logo
Researchers at TU Darmstadt have discovered that the process which AirDrop uses to find and verify someone is a contact on a receiver's phone can expose private information. AirDrop includes three modes; Receiving Off, Contacts Only, Everyone. The default setting is Contacts Only, which means only people within your address book can AirDrop photos, files, and more to your device.

The researchers discovered that the mutual authentication mechanism that confirms both the receiver and sender are on each other's address book could be used to expose private information. The researchers claim that a stranger can use the mechanism and its process within the range of an iOS or macOS device with the share panel open to obtain private information. As the researchers explain:

As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.

The discovered problems are rooted in Apple's use of hash functions for "obfuscating" the exchanged phone numbers and email addresses during the discovery process. However, researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.

To determine whether the other party is a contact, AirDrop uses a mutual authentication mechanism that compares a user's phone number and email address with entries in the other user's address book.

According to the researchers, Apple was informed of the flaw in May of 2019, and despite several software updates since then, the flaw remains.

Tag: AirDrop

Popular Stories

Mayday Calendar

Apple Acquisition Hints at Upgraded Calendar App on iOS 19 or Beyond

Friday May 9, 2025 9:13 am PDT by
Apple acquired Canadian startup Mayday Labs in April 2024, according to a European Commission listing, spotted by French blog MacGeneration. The acquisition had not received widespread attention from tech publications until now. Apple is legally required to report certain acquisitions to the European Commission, under the terms of the EU's Digital Markets Act. Mayday Labs founder Jeremy...
Nineth iOS 19 Feature

iOS 19 Beta is a Month Away With These New Features for Your iPhone

Thursday May 8, 2025 7:37 am PDT by
The first iOS 19 beta is just one month away, and there are already many new features and changes that are expected with it. Apple should seed the first iOS 19 beta to developers immediately following the WWDC 2025 keynote, which is scheduled for Monday, June 9. Following beta testing, the update should be released to the general public in September. Below, we recap the key iOS 19 rumors...
fortnite apple featured

Epic Games Submits Fortnite to U.S. App Store

Friday May 9, 2025 9:57 am PDT by
As promised, Epic Games today submitted Fortnite to the U.S. App Store, and if approved by Apple, it will mark the first time that the Fortnite app has been available in the United States since 2020. Fortnite will include options to purchase in-app currency from the web rather than through in-app purchase, which is what got the game banned to begin with. This time, though, Apple has been...
iOS 18

Here Are Apple's Full iOS 18.5 Release Notes

Tuesday May 6, 2025 2:17 pm PDT by
Apple today seeded the release candidate version of iOS 18.5 to developers and public beta testers, giving us a look at the final version of the update that will be provided to the public next week. With the release candidate, Apple provided release notes, so we have a more complete look at the new features that are included in the update, including those that weren't found during the beta...
top stories 2025 05 10

Top Stories: iOS 18.5 Release Imminent, iPhone Rumors for 2025 and Beyond, and More

Saturday May 10, 2025 6:00 am PDT by
With Apple's developer conference where it will show off iOS 19 just a month away, the company is wrapping up work on iOS 18.5 ahead of an imminent release to deliver a few new features and updates. This week also saw a number of iPhone-related rumors, encompassing not only this year's iPhone 17 lineup but also Apple's plans for 2026 and 2027, even as Apple's Eddy Cue suggested AI could make ...
AirPods Pro 3 Mock Feature

AirPods Pro 3 Just Months Away – Here's What We Know

Tuesday April 29, 2025 1:30 am PDT by
Despite being more than two years old, Apple's AirPods Pro 2 still dominate the premium wireless‑earbud space, thanks to a potent mix of top‑tier audio, class‑leading noise cancellation, and Apple's habit of delivering major new features through software updates. With AirPods Pro 3 widely expected to arrive in 2025, prospective buyers now face a familiar dilemma: snap up the proven...
Foldable iPhone 2023 Feature Homescreen

Apple's Foldable iPhone Display Tech May Set New Industry Standard

Thursday May 8, 2025 3:29 am PDT by
Apple's upcoming foldable iPhone will feature a new type of display panel developed by Samsung that has never been used in a foldable product, claims a source with links to Apple's supply chain. According to the account yeux1122 on the Korean Naver blog, the foldable iPhone will use a custom display process for which Apple will hold branding trademark rights, and that meets Apple's stringent ...

Top Rated Comments

Apple_Robert Avatar
53 months ago
This is not good. If Apple was in fact informed specifically about this vulnerability in 2019, I take umbrage with Apple not having taken the proper steps to secure AirDrop.
Score: 12 Votes (Like | Disagree)
dannyyankou Avatar
53 months ago

According to the researchers, Apple was informed of the flaw in May of 2019, and despite several software updates since then, the flaw remains. We've reached out to Apple for comment and will update this article if we hear back.
I’m sure now that they made this public, Apple will move with more urgency. Apple is usually better fixing security flaws, I’m disappointed.
Score: 9 Votes (Like | Disagree)
Unregistered 4U Avatar
53 months ago

And that is the SIMPLE process. Why is this even news?
Because there’s really very little “security” news that’s even worth reporting, but the researchers still need attention and validation. But, their reports are of the sort that remind me my home has a security hole in that my chimney provides access to my house once you tear down the external facing wall. However, very few people are concerned by or will do anything about this vulnerability. My garage door? COMPLETELY vulnerable to a brute force attack by a tank. Why won’t garage door manufacturers DO anything about this?
Score: 8 Votes (Like | Disagree)
Unregistered 4U Avatar
53 months ago

Yeah that doesn’t sound great. I wonder how many bad actors there actually are out there taking advantage of this loophole though?

Even though this obviously needs to be patched, does anyone seriously believe that any "bad actor" is going to go through this much work so he can sit in a Starbucks and steal someone's phone number? :)
No :) Folks need to remember that their life REALLY isn’t actually all that interesting, anyone interested IN their information is not going to waste time on an AirDrop brute force hack. If they are THAT close and REAAAAAALLLLY want your information, they can readily get access to it using one of the devices below.


Attachment Image
Score: 8 Votes (Like | Disagree)
13astion Avatar
53 months ago

This is not good. If Apple was in fact informed specifically about this vulnerability in 2019, I take umbrage with Apple not having taken the proper steps to secure Handoff.
It’s AirDrop, not Handoff. The latter is used by ONE user to transfer control or data between multiple devices that are already in their control (and logged into).

AirDrop allows TWO different users logged into TWO devices under their own control to share data. Hence the need for authentication.

And the attack vector is super specific... a black hat *physically nearby* has to try to grab your data while you initiate the AirDrops (and I would guess most AirDrops are small things: a contact card, a photo, a doc... all which take seconds to transfer), and THEN brute force the hashes... for what? A bit of stolen PII?

Yes, it’s *possible* for someone to do this... but *probable*? Naahh. Which is why Apple hasn’t prioritized it. In risk management you have to prioritize the risks by probability and impact... this one is pretty low on both counts.
Score: 7 Votes (Like | Disagree)
ikramerica Avatar
53 months ago

Namely, their email address and telephone number. Not their bank account data, not their social security number. Notice how they obfuscate “PRIVATE DATA OOOH SCARY” from what’s actually shared.

There is a VERY VERY good chance that your “private data” in this case is already on a list some ne’er do well purchased last month… and they didn’t even have to be within AirDrop range to get it! Next they’ll be reporting that
“Folks can gain access to your email address by ASKING you for it. If you fall for the exploit and provide them with your email address THEY WILL HAVE IT!! We reached out to Apple asking if they plan to stop providing email addresses so that people aren’t able to leak them and they looked at us funny and shooed us away.”
I am pretty sure you can get all that juicy data by putting a name in a google search. Plus home address, previous addresses, criminal record, etc.

I do think the odds of someone brute forcing an airdrop in close
proximity to you in order to discover your phone number and email is pretty remote. One assumes that if they are going to all that effort to target you, they already know your name.

One question for the researchers: does this mean turning on “everyone” is more secure as no matching is attempted?
Score: 7 Votes (Like | Disagree)