Researchers Discover AirDrop Security Flaw That Could Expose Personal Data to Strangers
AirDrop is a feature that allows Apple devices to securely and conveniently transfer files, photos, and more between each other wirelessly. Users can share items with their own devices, friends, family, or even strangers. The convenience and ease of use, however, may be undermined by a newly discovered security flaw.
Researchers at TU Darmstadt have discovered that the process which AirDrop uses to find and verify someone is a contact on a receiver's phone can expose private information. AirDrop includes three modes; Receiving Off, Contacts Only, Everyone. The default setting is Contacts Only, which means only people within your address book can AirDrop photos, files, and more to your device.
The researchers discovered that the mutual authentication mechanism that confirms both the receiver and sender are on each other's address book could be used to expose private information. The researchers claim that a stranger can use the mechanism and its process within the range of an iOS or macOS device with the share panel open to obtain private information. As the researchers explain:
As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.
The discovered problems are rooted in Apple's use of hash functions for "obfuscating" the exchanged phone numbers and email addresses during the discovery process. However, researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.
To determine whether the other party is a contact, AirDrop uses a mutual authentication mechanism that compares a user's phone number and email address with entries in the other user's address book.
According to the researchers, Apple was informed of the flaw in May of 2019, and despite several software updates since then, the flaw remains.
Related Stories
Apple today seeded second release candidate versions of iOS and iPadOS 14.6 to developers for testing purposes, with the new software coming five days after Apple seeded the first release candidates.
iOS and iPadOS 14.6 can be downloaded through the Apple Developer Center or over the air after the proper profile has been installed on an iPhone or iPad.
iOS and iPadOS 14.6 add support for A...
Following today's release of iOS 14.5.1 and last week's release of iOS 14.5, Apple has stopped signing iOS 14.4.2, the previously available version of iOS 14 released on March 26. With iOS 14.4.2 no longer being signed, it is not possible to downgrade to iOS 14.4.2 from iOS 14.5 or iOS 14.5.1 if you've already updated your iPhone or iPad.
Apple routinely stops signing older versions of...
Apple today seeded release candidate versions of iOS and iPadOS 14.6 to developers for testing purposes, with the new software coming one week after Apple seeded the third iOS and iPadOS 14.6 updates.
iOS and iPadOS 14.6 can be downloaded through the Apple Developer Center or over the air after the proper profile has been installed on an iPhone or iPad.
iOS and iPadOS 14.6 add support for ...
Developers need to look out for "XcodeSpy," a malicious Xcode project that installs a custom variant of the "EggShell" backdoor on a macOS computer, according to new research shared today by SentinelOne (via Ars Technica).
Xcode is software designed for developers who want to write apps for the iOS and macOS platforms, and the malicious project that's circulating mirrors TabBarInteraction, a ...
macOS Big Sur 11.4, which was released this morning, addresses a zero-day vulnerability that could allow attackers to piggyback off of apps like Zoom, taking secret screenshots and surrepetiously recording the screen.
Jamf, a mobile device management company, today highlighted a security issue that allowed Privacy preferences to be bypassed, providing an attacker with Full Disk Access,...
Apple today seeded the third betas of new iOS and iPadOS 14.6 updates to developers for testing purposes, one week after seeding the second iOS and iPadOS 14.6 updates.
iOS and iPadOS 14.6 can be downloaded through the Apple Developer Center or over the air after the proper profile has been installed on an iPhone or iPad.
iOS and iPadOS 14.6 appear to be more minor changes focusing on...
Twitter today announced it will begin rolling out a new application process for account verification, allowing for qualifying individuals like government officials, journalists, athletes, and recognizable brands to apply for verified status.
Verified accounts have a blue checkmark icon next to their Twitter name, helping people distinguish the authenticity of accounts that are of public...
At WWDC, Apple announced that iCloud is getting a premium subscription tier called "iCloud+," which includes "Private Relay" that allows users to browse the web through Safari with all information leaving their device remaining encrypted and access to "Hide My Email." One of the headlining features for iCloud+ is Private Relay, which, similarly to a VPN, ensures that all traffic leaving a...
Popular Stories
Apple is working on a number of new products that are set to launch this fall, and Bloomberg's Mark Gurman says that it will be "the widest array" of new devices that Apple has introduced in its history.
In his latest "Power On" newsletter, Gurman explains that Apple is working on four new flagship iPhones (iPhone 14, iPhone 14 Max, iPhone 14 Pro, and iPhone 14 Pro Max), an updated low-end Ma...
Apple has always emphasized the depth of thought that goes into the design of its products. In the foreword to Designed by Apple in California, a photo book released by the company in 2016, Jony Ive explains how Apple strives "to define objects that appear effortless" and "so simple, coherent and inevitable that there could be no rational alternative."
But every once in a while even Apple...
Three months after their launch, the 14-inch and 16-inch MacBook Pros continue to experience high demand and seemingly short supply, with shipping dates for both models stretching into multiple weeks in several of Apple's key markets.
In the United States, the baseline 14-inch MacBook Pro with the M1 Pro chip is estimated to ship in three to four weeks, promising an arrival by at least...
AT&T today announced the launch of upgraded AT&T Fiber plans, which support speeds of up to 5 Gigabits for some customers. There are two separate plans, one "2 GIG" plan and one "5 GIG" plan, available to new and existing AT&T Fiber subscribers.
According to AT&T, the new plans are available to nearly 5.2 million customers across 70 metro areas including Los Angeles, Atlanta, Chicago, San...
Apple's AirPods have been credited with saving a woman's life after a potentially fatal fall, People reports.
When a 60-year-old florist in New Jersey tripped and hit her head in her studio, she lost consciousness and awoke heavily bleeding. With nobody around to call for help, she realized she had her AirPods in, and used a "Hey Siri" command to call 911. An operator was able to stay on the ...
Apple's second-generation AirPods Pro could deliver higher fidelity audio than the AirPods Max over-ear headphones, despite being comparatively small in-ear buds, recent reports have suggested.
In a recent note to investors, seen by MacRumors, TF International Securities analyst Ming-Chi Kuo claimed that the second-generation AirPods Pro will offer improved audio quality thanks to support...
A number of developers are upset with an increasingly problematic iCloud server issue that is causing some apps that have implemented iCloud support to fail to sync properly.
As outlined on the Developer Forums and on Twitter, there are CloudKit connectivity issues that have been occurring since November. Some users of apps that have iCloud support built in are seeing the following message:...
As we roll into the latter half of January, we're starting to hear more about a potential spring Apple event, which is likely to take place in March or April. There are a number of potential announcements on deck, so an event would be a good opportunity for Apple to get them all out there.
We've also been going back and forth on some iPhone 14 rumors, and we've taken a look at a number of...
Top Rated Comments
AirDrop allows TWO different users logged into TWO devices under their own control to share data. Hence the need for authentication.
And the attack vector is super specific... a black hat *physically nearby* has to try to grab your data while you initiate the AirDrops (and I would guess most AirDrops are small things: a contact card, a photo, a doc... all which take seconds to transfer), and THEN brute force the hashes... for what? A bit of stolen PII?
Yes, it’s *possible* for someone to do this... but *probable*? Naahh. Which is why Apple hasn’t prioritized it. In risk management you have to prioritize the risks by probability and impact... this one is pretty low on both counts.
I do think the odds of someone brute forcing an airdrop in close
proximity to you in order to discover your phone number and email is pretty remote. One assumes that if they are going to all that effort to target you, they already know your name.
One question for the researchers: does this mean turning on “everyone” is more secure as no matching is attempted?