Apple’s AirDrop feature is a convenient way to share files between the company’s devices, but security researchers from Technische Universitat Darmstadt in Germany are warning that you might be sharing way more than just a file.
According to the researchers, it’s possible for strangers to discover the phone number and email of any nearby AirDrop user. All a bad actor needs is a device with wifi and to be physically close by. They can then simply open up the AirDrop sharing pane on an iOS or macOS device. If you have the feature enabled, it doesn’t even require you to initiate or engage with any sharing to be at risk, according to their findings.
The problem is rooted in AirDrop’s “Contacts Only” option. The researchers say that in order to suss out whether an AirDrop user is in your contacts, it uses a “mutual authentication mechanism” to cross-reference whether that user’s phone number and email with another’s contacts list. Now, Apple isn’t just doing that willy nilly. It does use encryption for this exchange. The problem is that the hash Apple uses is apparently easily cracked using “simple techniques such as brute-force attacks.” It is not clear from the research what level of computing power would be necessary to brute-force the hashes Apple uses.
Security flaws aren’t necessarily a sign that a company is bad at what it does. Independent security researchers find vulnerabilities all the time and most major tech companies have a system in place where these flaws can be reported, fixed, and then disclosed. Many times, we don’t hear about these security risks until after a company’s already fixed it. The troubling thing, in this case, is that the TU researchers say they told Apple about this privacy flaw in May 2019. That’s nearly two years ago and so far, Apple has “neither acknowledged the problem nor indicated that they are working on a solution.” This, according to the researchers, means 1.5 billion Apple gadgets could still be vulnerable to this specific flaw.
That’s doubly concerning given that the TU researchers said they also presented Apple with a possible solution dubbed “PrivateDrop.” While they didn’t provide a ton of details, the researchers said PrivateDrop is based on cryptographic protocols that don’t rely on exchanging vulnerable hash values. Supposedly, this would maintain the convenience everyone loves about AirDrop, with an authentication delay of “well below one second.”
Gizmodo reached out to Apple for comment but did not immediately receive a response.
Apple is vocal about how it’s dedicated to consumer privacy and the security of its devices. (See: the forthcoming privacy labels in iOS 14.5, secure enclave on its SoCs, and more.) But the researchers say, if you don’t want to be at risk, the only solution right now is to disable AirDrop discovery in System Settings and refrain from opening the AirDrop sharing pane.