An AirDrop flaw means that doing nothing more than opening an iOS or macOS sharing pane within Wi-Fi range of a stranger can enable them to see your phone number and email address. You do not have to initiate an AirDrop transfer to be at risk.
The security researchers who discovered the vulnerability say that they disclosed it to Apple way back in May 2019, but the company still hasn’t provided a fix to the 1.5 billion affected devices …
The issue had been partially identified in earlier research, but in that case only partial phone numbers were revealed and a database was required to fill in the blanks. This latest paper says that complete data can be obtained any time anyone opens a share sheet, no matter which option they then select.
Researchers at Germany’s Technische Universitat Darmstadt said that the problem is a combination of two issues. First, to offer the “Contacts only” option for AirDrop, Apple devices need to silently request personal data from all devices within range.
Second, although the data exchanged is encrypted, Apple uses a relatively weak hashing mechanism.
As sensitive data is typically exclusively shared with people who users already know, AirDrop only shows receiver devices from address book contacts by default. To determine whether the other party is a contact, AirDrop uses a mutual authentication mechanism that compares a user’s phone number and email address with entries in the other user’s address book.
The team says that it solved the AirDrop flaw with a much more secure approach that it dubs PrivateDrop, but despite alerting Apple to both the privacy issue, and a potential solution, Apple has not yet fixed it.
A team of researchers from the Secure Mobile Networking Lab (SEEMOO) and the Cryptography and Privacy Engineering Group (ENCRYPTO) at TU Darmstadt took a closer look at this mechanism and discovered a severe privacy leak.
As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.
The discovered problems are rooted in Apple’s use of hash functions for “obfuscating” the exchanged phone numbers and email addresses during the discovery process. Researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.
