California: Apple’s one of the most popular feature, AirDrop, garnered eyeballs at its launch due to its interesting feature that enables iPhone users to share content among two Apple devices. However, it has now been reported that Apple’s AirDrop feature can potentially expose all the private data such as email address and phone number of a user to anyone who is in Wi-Fi range.
The flaw, found by researchers at Technische Universitat Darmstadt, a German university suggests that simply opening an iOS or macOS sharing panel could expose personal information to people in range. This could reportedly happen even without initiating a file transfer and can expose a significant risk.
The Trusted Reviews, who first reported on this flaw, said that the researchers at the University (Technische Universitat) raised this issue with Apple back in 2019 but the company hasn’t fixed it yet. They said that the issue lies in the weak hashing of phone numbers and email addresses associated with the Apple user. “All strangers need to do is be in the vicinity in order to snoop,” the report said.
Their report also cited a press release from the Secure Mobile Networking Lab (SEEMOO) and the Cryptography and Privacy Engineering Group (ENCRYPTO) as saying, “As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.”
The problems, according to the report lie in Apple’s use of hash functions. However, the researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery and has values can be reversed using simple techniques.
This flaw could potentially lead to a data breach of over 1.5 billion Apple users and can further cause security issues.
Primarily, there are two reasons behind this security flaw. First and foremost is the process of finding contact and the next is AirDrop uses a “mutual authentication” process to draw a comparison between the phone numbers and email addresses of a possible receiver.
How to protect yourself
The basic requirement to perform this is a stable Wi-Fi connection and the proximity between the two Apple devices.
To avoid these attacks set your AirDrop to “Receiving Off” on an iPhone or iPad, and to “Allow me to be discovered by No One” on a Mac.
The researchers, however, said that the only way to avoid falling prey to this flaw is to stop using AirDrop, at least till a time Apple issues a fix.