Apple's AirDrop technology could leak users' phone numbers and email addresses, according to researchers who said that they had first informed Apple of the vulnerability in 2019. AirDrop is Apple's proprietary wireless technology that is used for sharing files such as photos and videos wireless across iOS, iPadOS, and macOS devices and was introduced in 2011. It uses both Wi-Fi and Bluetooth to establish a wireless connection and exchange files. The mutual authentication mechanism used by AirDrop can, however, be misused to steal the phone number and email address of a user.
Researchers from Germany's Technical University of Darmstadt has found the vulnerability that could impact any of the Apple users who share files using AirDrop. The researchers found that the problem exists within the use of hash functions that exchange phone numbers and email addresses during the discovery process.
Although this is quite concerning, users are only affected in specific circumstances. For one thing, anyone who has set their receive settings to Everyone is at risk. But other than that, even if you have your settings set to Off or Contacts Only, if you have your share sheet open with AirDrop (where your device is looking for other devices to connect) are at risk, according to the researchers.
Apple uses the novel SHA-256 hash functions to encrypt the phone number and email address of the user accessing AirDrop. Although the hashes couldn't be converted into the cleartext by a novice, the researchers found that an attacker who has a Wi-Fi-enabled device and is in physical proximity can initiate a process to decrypt the encryption.
The researchers group that consists of five experts from the university's Secure Mobile Networking (SEEMOO) lab and the Cryptography and Privacy Engineering Group (ENCRYPTO) detailed the vulnerability in a paper.
As per the details provided in the paper, there are two specific ways to exploit the flaws. The attacker could, in one case, gain access to the user details once they are in proximity and open the share sheet or share menu on their iPhone, iPad, or Mac. However, in the second case, the attacker could open a share sheet or share menu on their devices and then look for a nearby device to perform a mutual authentication handshake with a responding receiver.
The second case is only valid if the user has set the discovery of their devices on AirDrop to Everybody. This is not as wide as the first case where someone who's trying to share a file over an Apple device could be attacked.
In addition to detailing the flaws, the researchers have developed a solution called “PrivateDrop” that uses cryptographic private set intersection protocols to process sharing between two users without exchanging vulnerable hash values.
The researchers also said in a statement that they privately informed Apple about the AirDrop flaw in May 2019, though the company didn't acknowledge the issue and replied back.
AirDrop exists as a preloaded service on more than 1.5 billion Apple devices that all allegedly stand vulnerable due to the flaw discovered by the researchers. Apple didn't respond to a comment on whether it is fixing the problem at the time of filing the story.
This is not notably the first time when AirDrop is found to have a security issue. The service in August 2019 was noticed to have a problem that could allow attackers to access information about the phone status, battery information, Wi-Fi status, buffer availability, and OS version. At that time, AirDrop was also shown to send partial SHA256 hashes of phone number, Apple ID, and email addresses. The company did not respond to that finding as well.
That said, until the issues receive official fixes, Apple users can avoid getting caught by an attacker through AirDrop simply by turning it off when they are not using the feature.