Apple AirDrop users reportedly vulnerable to security flaw

iPhone users with AirDrop enabled may unknowingly expose certain personal information to a complete stranger. In a report released last week, researchers at the Department of Computer Science at the University of Darmstadt in Germany revealed their discovery of a security hole in Apple’s AirDrop.

Utilized by many iPhone users, AirDrop allows you to share a file with someone else simply by sending it that person’s device. As implemented by Apple, AirDrop appears to have a flaw in the way it checks whether or not you’re in the other person’s contact list.

AirDrop offers three different settings from which to choose:

1. Receiving Off: The feature is disabled
2. Contacts Only: People can receive files only from those in their contact list
3. Everyone: People can exchange a file with any other iPhone or iPad user

SEE: How to migrate to a new iPad, iPhone, or Mac (TechRepublic Premium)

The glitch detailed by the researchers lies in the Contacts Only setting. To share a file with someone via AirDrop, you use the iOS Sharing feature and specify AirDrop as the tool. If the other person’s AirDrop is set to Contacts Only, Apple needs to determine if you’re in that person’s contact list. To do this, the company uses an authentication process that compares your phone number and email address with entries in the other person’s address book.

To protect your phone number and email address during this process, Apple relies on a hashing function to obscure that information. However, researchers at the university had already discovered that this hashing fails to adequately protect the privacy of the data.

As such, a savvy stranger could reverse the hash values through certain techniques, including brute force attacks, thereby uncovering your email address and phone number. This flaw also extends to other devices that use AirDrop, including iPads and Macs.

“As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users—even as a complete stranger,” the researchers said in the report. “All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.”

In one scenario, a hacker with malicious intent could linger in a public place and scan for people trying to use the iOS Share feature. If AirDrop is set to Contacts Only for any person, the hacker could then try different methods to obtain the email addresses and phone numbers of nearby users. Such personal information can then be used for spam, phishing campaigns and other types of attacks.

To replace the unsecure AirDrop design, the researchers said they created their own solution dubbed “PrivateDrop.” Based on optimized cryptographic protocols, PrivateDrop can quickly and securely determine if you’re in a fellow iPhone user’s contact list without having to exchange the vulnerable hash values. PrivateDrop is accessible on GitHub for analysis by third parties.

What of Apple’s response? The researchers said they revealed the privacy hole in AirDrop to the company back in May 2019. So far, Apple hasn’t acknowledged the issue nor indicated work on a possible fix. TechRepublic contacted Apple for comment and will update the story with any response.

For now, the researchers advise users to turn off AirDrop. To do this on an iPhone or iPad, go to Settings and then General and then tap the entry for AirDrop. Turn the setting to Receiving Off.

Alternatively, go directly to Control Center by swiping down from the top-right corner or up from the bottom depending on your device. Long-press down on the control for connectivity, then tap the icon for AirDrop and set it to Receiving Off. On a Mac, click the Control Center icon on the menu bar and then select and turn off AirDrop. You can always turn AirDrop on temporarily—if and when you need it.

Apple Weekly Newsletter

Whether you want iPhone and Mac tips or the latest enterprise-specific Apple news, we’ve got you covered.
Delivered Tuesdays

Sign up today

Also see