A significant security flaw has been discovered in Apple’s wireless file-sharing protocol which could lead to the exposure of a user’s contact information such as email addresses and phone numbers.
According to the team of academics from the Technical University of Darmstadt, Germany, it is possible for an attacker to get the phone numbers and email addresses of AirDrop users even if he is a complete stranger. All they need is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.
AirDrop is a proprietary ad hoc service present in Apple’s iOS and macOS operating systems that let the users to transfer files between devices by utilizing close-range wireless communication.
This feature shows only receiver devices that are in users’ contact lists by an authentication mechanism that compares an individual’s phone number and email address with entries in the other user’s address book. However, the new issue defeats such protections with the help of a Wi-Fi-capable device and by just being in close physical proximity to a target.
The researchers stated that when an AirDrop connection is attempted between a sender and a receiver, the sender transmits over the air a message containing a hash, or digital fingerprint, of its user’s email address or phone number as part of an authentication handshake. If the sender is recognized in response, the receiver transmits back its hash.
The main issue lies in Apple’s use of hash functions for masking the exchanged contact identifiers — i.e., phone numbers and email addresses — during the discovery process.
It is possible for a malicious receiver to collect the hashed contact identifiers and unscramble them “in milliseconds” using techniques such as brute-force attacks. A malicious sender can also learn all the hashed contact identifiers, including the receiver’s phone number, without requiring any prior knowledge of the receiver.
The researchers have privately notified Apple of the issue as early as May 2019, and once again in October 2020 after developing a solution named “PrivateDrop” to correct the flawed design in AirDrop.
PrivateDrop is based on optimized cryptographic private set intersection protocols that can securely perform the contact discovery process between two users without exchanging vulnerable hash values.
However, as this bug has not been fixed, users of more than 1.5 billion Apple devices are vulnerable to such attacks.
According to the researchers the users can protect themselves by disabling AirDrop discovery in the system settings and by refraining from opening the sharing menu.