Apple AirDrop flaw ‘exposes phone numbers and email addresses’ to all
Apple’s AirDrop tech is a really handy way to share photos, contact information and more, but a security flaw could mean sharing details with more folks than you bargained for.
According to researchers at a prominent German university, the Wi-Fi and Bluetooth-powered Apple-to-Apple data transfer tech could expose your phone number and email address to a stranger in Wi-Fi range.
The researchers working out out Technische Universitat Darmstadt say just opening an iOS or macOS sharing pane could expose your personal information. It’s not even necessary to begin a transfer for third-parties to expose the “significant security risk”, they say.
In findings published this week, the researchers say they raised the issue with Apple way back in 2019 and the company hasn’t fixed it yet. They say the problem lies in weak hashing of phone numbers and email addresses associated with the Apple user. All strangers need to do is be in the vicinity in order to snoop.
In a press release the researchers from the Secure Mobile Networking Lab (SEEMOO) and the Cryptography and Privacy Engineering Group (ENCRYPTO) write: “As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.”
“The discovered problems are rooted in Apple’s use of hash functions for “obfuscating” the exchanged phone numbers and email addresses during the discovery process. However, researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.”
The researchers say 1.5 billion users are potentially vulnerable to this issue, but add Apple hasn’t acknowledged the problem, let alone attempted to fix it. The researchers say the only way to guard against it currently is to turn AirDrop off.