A team of researchers from the Secure Mobile Networking Lab (SEEMOO) and the Cryptography and Privacy Engineer Group (ENCRYPTO) discovered that it is possible for an attacker to learn the phone numbers and email addresses of AirDrop users even if they are complete strangers to the target.
AirDrop is a popular Apple feature that allows devices to share data, typically exclusively between people who are already known to each other. By default, Airdrop only shows receiver devices from address book contacts. Functionally, AirDrop uses a mutual authentication mechanism that compares a user’s phone number and email address with entries in the other user’s address book.
Unfortunately, the researchers were able to find a way to learn those phone numbers and email addresses, even if the device attempting to make the connection is not known to the target device. As initially reported by Mashable, all that is required to perform the exploit is a WiFi device and physical proximity to a target that can initiate the discovery process by opening the sharing pane on an iOS or macOS device.
The researchers claim that its discovered problems are rooted in Apple’s use of hash functions for “obfuscating” the exchanged phone numbers and email addresses during the discovery process.
“Researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks,” a press release on the discovery reads.
The researchers say that they have informed Apple about the privacy vulnerability in May of 2019 via responsible disclosure. Tom’s Guide published a story in July of that year that summarizes the underlying issue.
According to the researchers, Apple has neither acknowledged the problem nor indicated that they are working on a solution.
“This means that the users of more than 1.5 billion Apple devices are still vulnerable to the outlined privacy attacks. Users can only protect themselves by disabling AirDrop discovery in the system settings and by refraining from opening the sharing menu,” the researchers say.
As Apple has not indicated that a solution is in the works, the researchers say they have developed what they call “PrivateDrop” to replace the “flawed original AirDrop design.”
“PrivateDrop is based on optimized cryptographic private set intersection protocols that can securely perform the contact discovery process between two users without exchanging vulnerable hash values. The researchers’ iOS/macOS implementation of PrivateDrop shows that it is efficient enough to preserve AirDrop’s exemplary user experience with an authentication delay well below one second,” the press release says.
Both Tom’s Guide and Mashable have advocated turning off AirDrop both in 2019 and now in 2021 respectively in order to protect devices from this exploit. PetaPixel contacted Apple for comment but did not immediately receive a response.
Image credits: Header photo licensed via Depositphotos.