A flaw in Apple’s AirDrop means that users opening an iOS or macOS sharing pane within WiFI range of a stranger can allow them to see your phone number and email address. This can happen when either party initiates the AirDrop transfer.
9to5Mac reports that the researchers at Germany’s Technische Universitat Darmstadt that discovered the vulnerability say they informed Apple of the flaw back in May 2019, but the company still hasn’t offered a fix for the 1.5 billion affected devices.
The paper says that complete data can be obtained any time anyone opens a share sheet, no matter which option they then select.
Researchers said that the problem is a combination of two issues.
As sensitive data is typically exclusively shared with people who users already know, AirDrop only shows receiver devices from address book contacts by default. To determine whether the other party is a contact, AirDrop uses a mutual authentication mechanism that compares a user’s phone number and email address with entries in the other user’s address book.
A team of researchers from the Secure Mobile Networking Lab (SEEMOO) and the Cryptography and Privacy Engineering Group (ENCRYPTO) at TU Darmstadt took a closer look at this mechanism and discovered a severe privacy leak.
As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.
The discovered problems are rooted in Apple’s use of hash functions for “obfuscating” the exchanged phone numbers and email addresses during the discovery process. Researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.
The team says that it fixed the flaw by using a more secure approach that it calls PrivateDrop. However, despite alerting Apple to the privacy issue and offering a potential solution, Apple has not yet fixed it.