AirDrop is a famous Apple feature that permits gadgets to share data, commonly completely between individuals who are already known to each other. By default, Airdrop only indicates receiver devices from address book contacts. additionally, AirDrop makes use of a mutual authentication mechanism that compares a user’s cellphone number and email address with entries in the other user’s address book.
“An AirDrop flaw means that doing nothing other than opening an iOS or macOS sharing pane within Wi-Fi range of a stranger can allow them to see your cellphone number and email address. One does not have to initiate an AirDrop transfer to be at risk.” Reads Tuesday’s press release.
A group of researchers from the Secure Mobile Networking Lab (SEEMOO) and the Cryptography and Privacy Engineer Group (ENCRYPTO) found that it is possible for an attacker to examine the cellphone numbers and email addresses of AirDrop users even if they are complete strangers to the target.
A problem that was partially identified in previous research, however, in that case, only partial cellphone numbers were revealed and a database was required to fill in the blanks. This latest paper says that entire information can be obtained any time anyone opens a share sheet, no matter which option they then select.
Researchers at Germany’s Technische Universitat Darmstadt stated that the problem is a mixture of two issues. First, to offer the “Contacts only” option for AirDrop, Apple gadgets need to silently request private data from all devices in close range.
As sensitive information is usually completely shared with individuals who users already know, AirDrop only indicates receiver devices from address book contacts by default. To decide whether or not the other party is a contact, AirDrop makes use of a mutual authentication mechanism that compares a user’s cellphone number and email address with entries in the other user’s address book.
Second, although the information exchanged is encrypted, Apple makes use of a rather vulnerable hashing mechanism.
How to turn off AirDrop on an iPhone via Settings
1. Open the Settings app.
2. Tap “General.”
3. Tap “AirDrop.”
4. Tap “Receiving Off” so that no one can see your device.
The observed issues are rooted in Apple’s use of hash functions for “obfuscating” the exchanged cellphone numbers and email addresses throughout the discovery process. Researchers from TU Darmstadt already showed that hashing fails to grant privacy-preserving contact discovery as so-called hash values can be quickly reversed by using easy methods such as brute-force attacks.
The group says that it solved the AirDrop flaw with a lot more secure strategy than it dubs PrivateDrop, however, despite alerting Apple to both the privacy issue and a possible solution, Apple has not yet fixed it.
The security researchers who found the vulnerability say that they disclosed it to Apple way back in May 2019, however, the corporation still hasn’t provided a fix to over 1 billion affected gadgets.