A Security Vulnerability in AirDrop Puts Every iPad, iPhone, And Mac At Risk

Apple's reputation for customer protection has been questioned in recent weeks as stunning discovery after shocking revelation has made its way to the App Store. And now, a significant new threat has been identified for Apple's 1.65 billion active iPad, iPhone, and Mac/MacBook users worldwide.

The Technical University of Darmstadt in Germany has uncovered a significant security flaw in AirDrop, Apple's cross-device file sharing technology, that enables hackers to easily access user data. Furthermore, the researchers note that they told Apple about this vulnerability nearly three years ago and the corporation has "neither recognized the issue nor indicated that they are working on a fix." And that is only the beginning.

The Assault

"Because sensitive data is normally shared only with people users know, AirDrop defaults to showing recipient devices from address book contacts," the researchers note. "To identify whether the other party is a contact, AirDrop uses a mutual authentication system that matches a user's phone number and email address to entries in the address book of the other user."

This seems sense on the surface, but upon closer examination, the team discovered: "As an attacker, it is feasible to obtain the phone numbers and email addresses of AirDrop users — even as a total stranger." They only need a Wi-Fi-enabled device and physical proximity to a target that commences the discovery process by opening the sharing pane on an iOS or macOS device."

The team discovered flaws in Apple's use of hash functions to "obfuscate" the exchanged phone numbers and email addresses during the discovery process: "hashing fails to provide privacy-preserving contact discovery because so-called hash values can be easily reversed using simple techniques such as brute-force attacks." Hackers can now access user data.

PrivateDrop

According to the researchers, they immediately notified Apple of their results in May 2019. As previously stated, Apple has neither acknowledged nor attempted to resolve the issue. What's more astonishing is that the Darmstadt research team even presented Apple with a patch termed 'PrivateDrop' as part of their initial study.

"PrivateDrop is based on optimized cryptographic private set intersection protocols that enable secure contact discovery between two users without exchanging vulnerable hash values," the team notes, adding that the protocol is efficient enough to maintain AirDrop's exemplary user experience with an authentication delay well below one second.

1,650,000,000 Apple Devices That Are Vulnerable

As a result of these revelations and Apple's inaction, 1.65 billion "Apple devices remain exposed to the specified privacy threats," with no indication of when or even if they would be fixed. Meanwhile, the Darmstadt research team notes that "Users may safeguard themselves solely by blocking AirDrop discovery in the system settings and avoiding entering the sharing option."