Apple’s AirDrop Vulnerability Can Leak User Details to Anyone in Proximity: Researchers

Apple is said to have known of the vulnerability since May 2019.

Advertisement
By Jagmeet Singh | Updated: 26 April 2021 19:31 IST
Highlights
  • AirDrop exchanges phone numbers and email addresses of users
  • The service uses hash functions for the details
  • Researchers found that the user details exchanged can easily be decrypted

Apple’s AirDrop is available preloaded on the iPhone, iPad, and the Mac since 2011

Apple's AirDrop technology could leak users' phone numbers and email addresses, according to researchers who said that they had first informed Apple of the vulnerability in 2019. AirDrop is Apple's proprietary wireless technology that is used for sharing files such as photos and videos wireless across iOS, iPadOS, and macOS devices and was introduced in 2011. It uses both Wi-Fi and Bluetooth to establish a wireless connection and exchange files. The mutual authentication mechanism used by AirDrop can, however, be misused to steal the phone number and email address of a user.

Researchers from Germany's Technical University of Darmstadt has found the vulnerability that could impact any of the Apple users who share files using AirDrop. The researchers found that the problem exists within the use of hash functions that exchange phone numbers and email addresses during the discovery process.

Advertisement

Although this is quite concerning, users are only affected in specific circumstances. For one thing, anyone who has set their receive settings to Everyone is at risk. But other than that, even if you have your settings set to Off or Contacts Only, if you have your share sheet open with AirDrop (where your device is looking for other devices to connect) are at risk, according to the researchers.

Apple uses the novel SHA-256 hash functions to encrypt the phone number and email address of the user accessing AirDrop. Although the hashes couldn't be converted into the cleartext by a novice, the researchers found that an attacker who has a Wi-Fi-enabled device and is in physical proximity can initiate a process to decrypt the encryption.

The researchers group that consists of five experts from the university's Secure Mobile Networking (SEEMOO) lab and the Cryptography and Privacy Engineering Group (ENCRYPTO) detailed the vulnerability in a paper.

As per the details provided in the paper, there are two specific ways to exploit the flaws. The attacker could, in one case, gain access to the user details once they are in proximity and open the share sheet or share menu on their iPhone, iPad, or Mac. However, in the second case, the attacker could open a share sheet or share menu on their devices and then look for a nearby device to perform a mutual authentication handshake with a responding receiver.

Advertisement

The second case is only valid if the user has set the discovery of their devices on AirDrop to Everybody. This is not as wide as the first case where someone who's trying to share a file over an Apple device could be attacked.

In addition to detailing the flaws, the researchers have developed a solution called “PrivateDrop” that uses cryptographic private set intersection protocols to process sharing between two users without exchanging vulnerable hash values.

Advertisement

The researchers also said in a statement that they privately informed Apple about the AirDrop flaw in May 2019, though the company didn't acknowledge the issue and replied back.

AirDrop exists as a preloaded service on more than 1.5 billion Apple devices that all allegedly stand vulnerable due to the flaw discovered by the researchers. Apple didn't respond to a comment on whether it is fixing the problem at the time of filing the story.

Advertisement

This is not notably the first time when AirDrop is found to have a security issue. The service in August 2019 was noticed to have a problem that could allow attackers to access information about the phone status, battery information, Wi-Fi status, buffer availability, and OS version. At that time, AirDrop was also shown to send partial SHA256 hashes of phone number, Apple ID, and email addresses. The company did not respond to that finding as well.

That said, until the issues receive official fixes, Apple users can avoid getting caught by an attacker through AirDrop simply by turning it off when they are not using the feature.


We dive into all things Apple — iPad Pro, iMac, Apple TV 4K, and AirTag — this week on Orbital, the Gadgets 360 podcast. Orbital is available on Apple Podcasts, Google Podcasts, Spotify, and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.
 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement
Popular Mobile Brands
  1. Flipkart GOAT Sale: Top Early Deals on Smartphones, Tablets and More
  2. Nokia 235 4G (2026), 215 4G (2026) Launched; Nokia 210 4G, 200 4G Tag Along
  3. Amazon Prime Day 2026 Sale Is Live: Best Tech Deals
  4. Best Offers on Echo Devices, Alexa Speakers in Amazon Prime Day Sale 2026
  5. Huion's 2026 India Lineup Defines Next-Gen Creativity
  6. Asus Vivobook 15 (2026) Launched in India Ahead of Amazon, Flipkart Sale Events
  7. Vivo X500 Camera Details Surface Online After X500 Pro Max Leaks
  8. Best Mobiles Under Rs. 30,000 in India
  1. Cyberpunk 2077 Has Sold 40 Million Copies, CD Projekt Red Confirms
  2. Nothing Phone 1 Receives Final Software Update With Latest Security Patches, Bug Fixes and Improvements
  3. Nokia 235 4G (2026), 215 4G (2026) Launched Alongside Nokia 210 4G, and 200 4G With AI Assistant Button
  4. Samsung Galaxy S27 Ultra Battery Details Leaked; Could Top iPhone 18 Pro Max's Battery Capacity
  5. OnePlus Ace 7 Series Tipped to Feature 185Hz Display, 9,000mAh Battery
  6. WhatsApp Rolls Out Primary Device Support on iPad, Tests New Setup Screen for Android Tablets: Report
  7. Government Directs App Stores to Remove Malicious Apps Used to Disrupt E-Rickshaw Operations: Report
  8. Sony Reportedly Restructures Disc Factory After Announcing End of Physical Game Discs on PlayStation
  9. Maharashtra Legislature Passes Amendment to Bring Virtual Digital Assets Under Depositor Protection Law
  10. Redmi 17 5G NCC, SIRIM Certification Listings Reportedly Reveal Battery and Charging Details
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.