An AirDrop security flaw can allow anyone with a laptop and scanning software to see your phone number. The same is true when you share a Wi-Fi password from your iPhone.
Doing the same from a Mac reveals its permanent MAC address instead…
ArsTechnica reports.
Although Apple takes steps to guard against this, security researchers have found it’s trivial to crack the system used.
“This is the classic trade-off that companies like Apple try to make when balancing ease of use vs privacy/security,” independent privacy and security researcher Ashkan Soltani told Ars. “In general, automatic discovery protocols often require the exchange of personal information in order to make them work—and as such—can reveal things that could be considered sensitive. Most security and privacy minded folks I know disable automatic discovery protocols like AirDrop, etc just out of principle.”
The full phone number can be recovered because an attacker can create a database with the hash values for every phone number in their region. The blog post doesn’t explain how the phone number is matched from only the first three bytes of the hash, but the scripts can be found on GitHub.
It’s the same if you share Wi-Fi passwords from your iPhone, explains cybersecurity company Hexway.
You can see video demos of both the AirDrop security flaw and the password-sharing one below. The software sends a text message to the number to prove that it was discovered.
It follows an earlier report of a Bluetooth flaw that would allow geographical tracking of iPhones, iPads, Macs, Apple Watches, Fitbit devices, and laptops/tablets running Windows 10.