- Apple AirDrop flaw could expose phone numbers and email IDs to strangers who are in the Wi-Fi range.
- The problem is rooted in Apple’s use of hash functions for “obfuscating” the exchanged phone numbers and email addresses during the discovery process.
- Users should turn AirDrop off when not in use or set it to be discoverable by contacts only.
Apple to Apple data transfer via Wi-Fi and Bluetooth could expose phone numbers and email IDs to strangers who are in the Wi-Fi range, according to a new report by researchers at a German university. All the strangers would need to do is to be in the range. Technische Universitat Darmstadt researchers report that simply opening an iOS or macOS sharing panel could expose personal information to people in range. This could happen even without transferring for third parties and can be termed as a “significant security risk”
How does the AirDrop flaw work?
“As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device,” said Secure Mobile Networking Lab and the Cryptography and Privacy Engineering Group in a press release.
The problem is apparently rooted in Apple’s use of hash functions for “obfuscating” the exchanged phone numbers and email addresses during the discovery process. However, researchers from TU Darmstadt showed that hashing fails to provide privacy-preserving contact discovery as the so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.
How to protect yourself from the AirDrop flaw?
According to the researchers, over 1.5 billion users could be vulnerable to the AirDrop flaw. Apple is yet to acknowledged the bug, so there is no official way to fix this as of now. However, researchers suggest that one way users can safeguard themselves from strangers is by disabling AirDrop when not in use. It would also be wise to keep AirDrop discoverable by your contacts only instead of everyone.