According to researchers who said they first informed Apple of the vulnerability in 2019, Apple’s AirDrop technology could lose users’ phone numbers and email addresses. AirDrop is Apple’s proprietary wireless technology that allows files such as photos and videos to be shared wirelessly across iOS, iPadOS and macOS devices and was introduced in 2011. It uses both Wi-Fi and Bluetooth to connect wirelessly and share files. However, the mutual authentication mechanism used by AirDrop can be abused to steal a user’s phone number and email address.
Researchers at the Technical University of Darmstadt have found the vulnerability that can affect all Apple users who share files with AirDrop. The researchers found that the problem lies in the use of hash functions that exchange phone numbers and email addresses during the discovery process.
While this is very worrying, it only affects users in certain circumstances. On the one hand, anyone who has set their reception settings to Everyone is at risk. That being said, even if you’ve set your settings to Off or Contacts Only, if you’ve opened your Share Sheet with AirDrop (where your device looks for other devices to connect to), researchers are at risk.
Apple uses the novel SHA-256 hash functions to encrypt the phone number and email address of the user accessing AirDrop. Although the hashes could not be converted to clear text by a novice, the researchers found that an attacker who had a Wi-Fi enabled device and was physically nearby could initiate a process to decrypt the encryption.
The research group, which consists of five experts from the University’s Laboratory for Secure Mobile Networks (SEEMOO) and the Cryptography and Privacy Engineering Group (ENCRYPTO), has described the vulnerability in detail in an article.
According to the details in this document, there are two specific ways to exploit the errors. In one case, the attacker could gain access to the user details once they are nearby and open the sharing sheet or menu on their iPhone, iPad, or Mac. In the second case, however, the attacker could open a sharing sheet or menu on their devices and then search for a device nearby to handshake for mutual authentication with a responding recipient.
The second case is only valid if the user has set the detection of their devices in AirDrop to Everybody. This is not as broad as the first time someone could be attacked who tried to share a file through an Apple device.
In addition to detailing the errors, the researchers developed a solution called “PrivateDrop,” which uses cryptographic intersection protocols for private sets to handle sharing between two users without exchanging vulnerable hash values.
The researchers also said in a statement that they privately informed Apple of the AirDrop bug in May 2019, even though the company failed to identify the problem and respond.
AirDrop is a pre-installed service on more than 1.5 billion Apple devices, all of which are said to be vulnerable due to the bug the researchers discovered. Apple didn’t respond to a comment at the time of submitting the story as to whether the issue was resolved.
This is not the first time AirDrop has been identified with a security issue. An issue with the service in August 2019 was identified through which attackers could access information about phone status, battery information, WiFi status, buffer availability and the operating system version. At this point, AirDrop was also shown to be partially sending SHA256 hashes with phone number, Apple ID, and email addresses. The company also did not respond to this finding.
However, until the issues are officially resolved, Apple users can avoid being caught by an attacker via AirDrop by simply disabling it when they are not using the feature.