Apple’s AirDrop App Can Expose Your Phone Number and Email Address.
Apple’s AirDrop technology could leak users’ phone numbers and email addresses, according to researchers who said they had first informed Apple of the vulnerability in 2019. AirDrop is Apple’s proprietary wireless technology that is used to share files like photos and videos wirelessly via iOS. , iPadOS and macOS and was introduced in 2011. It uses Wi-Fi and Bluetooth to establish a wireless connection and exchange files. However, the mutual authentication mechanism used by AirDrop can be misused to steal a user’s phone number and email address. Also, read Zoom features a whole new look to your video calls.
Researchers at the Technical University of Darmstadt in Germany have discovered the vulnerability that could affect any Apple users who share files using AirDrop. The researchers found that the problem exists within the use of hash functions that exchange phone numbers and email addresses during the discovery process.
Although this is quite concerning, users are only affected in specific circumstances. For one thing, anyone who has set their reception setting to Everyone is at risk. But other than that, even if you have your setting set to Off or Contacts Only, if you have your sharing sheet open with AirDrop (where your device is looking for other devices to connect with) you are at risk, according to the researchers.
Apple uses the novel SHA-256 hash functions to encrypt the phone number and email address of the user accessing AirDrop. Although a novice could not convert the hashes to clear text, the researchers found that an attacker who has a Wi-Fi-enabled device and is in physical proximity can initiate a process to decrypt the encryption.
The group of researchers consisting of five experts from the university’s Secure Mobile Networks Laboratory (SEEMOO) and the Cryptography and Privacy Engineering Group (ENCRYPTO) detailed the vulnerability in a paper.
Based on the details provided in the document, there are two specific ways to exploit the flaws. The attacker could, in one case, gain access to the user’s details once they are nearby and open the share sheet or share menu on their iPhone, iPad, or Mac. However, in the second case, the attacker could open a share sheet or share menu on your devices, and then search for a nearby device to perform a mutual authentication handshake with a responding recipient.
The second case is only valid if the user has set the discovery of their devices in AirDrop to All. This is not as broad as the first case where someone trying to share a file through an Apple device could be attacked.
In addition to detailing the flaws, researchers have developed a solution called “PrivateDrop” that uses cryptographic private set intersection protocols to process the exchange between two users without exchanging vulnerable hash values.
The researchers also said in a statement who privately informed Apple of the AirDrop flaw in May 2019, though the company did not acknowledge the issue and responded.
AirDrop exists as a preloaded service on more than 1.5 billion Apple devices that are allegedly vulnerable due to the flaw discovered by researchers. Apple did not respond to a comment on whether it is fixing the issue at the time of filing the story.
This is not the first time that AirDrop has been found to have a security problem. In August 2019, the service was noted to have an issue that could allow attackers to access information about phone status, battery information, Wi-Fi status, buffer availability, and system version. operational. At the time, AirDrop was also shown to send partial SHA256 hashes of the phone number, Apple ID, and email addresses. The company also did not respond to that finding.
That said until the issues are officially fixed, Apple users can avoid being caught by an attacker via AirDrop simply by turning it off when they are not using the function.
She is a freelance blogger, writer, and speaker, and writes for various entertainment magazines.