Security researchers have discovered an AirDrop exploit that, under certain circumstances, can share an iPhone user's phone number and email address with strangers.
First of all, the AirDrop exploit allows users to do nothing more than open an iOS or macOS sharing window within a stranger's Wi-Fi range so that they can see their phone number and email address. This means that an AirDrop transfer does not necessarily have to be initiated to be at risk. The security researchers who discovered the vulnerability explain that they reported it to Apple in May 2019. But the company has still not provided a fix for the 1.5 billion affected devices. The problem has already been identified in previous investigations. But in these cases only partial phone numbers could be revealed. In addition, a database was necessary. The latest study, however, states that the full data can now be determined every time someone opens a sharing window, regardless of which option they then select.
AirDrop exploit: Apple uses weak hashing mechanism
Researchers at the Technical University of Darmstadt say the problem is a combination of two aspects. First, in order to offer the "Contacts Only" option for AirDrop, Apple devices must silently request personal data from all devices within range.
Because sensitive data is typically only shared with people the user already knows, AirDrop only displays recipient devices from address book contacts by default. To determine if the other party is a contact, AirDrop uses a mutual authentication mechanism that compares a user's phone number and email address with entries in the other user's address book.
Now to point two. Although the data exchanged is encrypted, Apple uses a relatively weak hashing mechanism.
A team of researchers from the Secure Mobile Networking Lab (SEEMOO) and the Cryptography and Privacy Engineering Group (ENCRYPTO) at TU Darmstadt took a closer look at this mechanism and discovered a serious data protection leak. As an attacker, it is possible to find out the phone numbers and email addresses of AirDrop users - even as a complete stranger. All they need is a WiFi-enabled device and physical proximity to a target that initiates the discovery process by opening the sharing window on an iOS or macOS device. The problems discovered are rooted in Apple's use of hash functions to "obfuscate" the exchanged phone numbers and email addresses during the discovery process. Researchers at TU Darmstadt have already shown that hash functions do not enable data protection-compliant contact discovery, since so-called hash values can be quickly exposed using simple techniques such as brute force attacks.
Apple has not yet responded
Finally, the team explained that it has solved the AirDrop bug with a much more secure approach it calls PrivateDrop. However, despite Apple being made aware of both the privacy issue and a possible solution, Cupertino has not yet fixed the bug. (Photo by New Africa / Bigstockphoto)
