Skip to content

Apple AirDrop’s vulnerabilities can potentially leak user data

  • by
  • 4 min read

Researchers have discovered vulnerabilities in Apple Airdrop’s authentication mechanism that could potentially leak a user’s phone number and email address.

Apple’s AirDrop has been a shining example of how seamless file transfer should be like between devices. However, as convenient as it sounds, it might not be as safe.

A team of researchers from the Secure Mobile Networking Lab (SEEMOO) and the Cryptography and Privacy Engineering Group (ENCRYPTO) at the Technical University of Darmstadt took a closer look at AirDrop’s authentication mechanism and found a huge loophole. 

In the News: Apple announces the $29 AirTag to locate lost items via Find My network


AirDrop’s security vulnerability

AirDrop shows receiver devices from your phone’s contacts by default. This means that to authenticate that the receiving party is, in fact, a contact, AirDrop uses a mutual authentication mechanism that compares the phone number and email address from the sender’s contact list to the receiver’s.

The problem here is Apple’s use of has functions for obfuscating the exchanged authentication data — phone numbers and email addresses. Hashing is no longer a secure data encryption method as it’s rather easy to reverse or decrypt hash values using brute force attacks or other simple techniques.

AirDrop authentication procedure can be captured by an attacker in close proximity. | The new iMac was announced earlier this week.

Now, if you were an attacker in this scenario, you could easily gain access to these phone numbers and email addresses in a hashed form which you could decrypt later. All you need is a Wi-Fi capable device and proximity to the Apple device that started the exchange. 

In the News: Signal’s CEO reports vulnerabilities found in Cellebrite’s spying software

There’s a new protocol to guarantee privacy

As a solution to this issue, the research team came up with a secure version of AirDrop called ‘PriavteDrop’. This new version is based on optimised cryptographic private set intersection protocols which don’t use hash values to exchange this authentication data. 

The new protocol avoids the use of Hash functions and keeps the data secure. | The new iPad Pro was also announced earlier this week at Apple’s Spring loaded event.

This new implementation is fast as well, which means that the convenience or speed of transferring files via AirDrop will not be significantly impacted as the authentication delay is well below a second.

More than 1.5 billion Apple devices still vulnerable

Apple was informed of this vulnerability back in May 2019. However, they have neither acknowledged nor fixed this problem so far. This puts the 1.5 billion Apple device users out there at risk. 

The only way to protect yourself in this scenario is to disable AirDrop discovery and refrain from using the sharing menu, effectively disabling the function on your phone. 

A detailed description of the researcher’s findings will be presented in August at the USENIX Security Symposium. 


Apple expanding its ad business in lieu of new privacy rules

In other news, we’ve been wanting to touch upon how Apple has been waging a war against ads and user tracking but it seems to be more in favour of the company’s commercial interests rather than the well-being of its customers. 

Apple’s new privacy rules don’t let apps track users on an iPhone without the user’s explicit permission. As most users are expected to deny being tracked, this poses a serious threat to the mobile advertising industry.

The company offers search ads for the top result and now plans to sell a second slot for the ‘suggested’ apps section. The move comes right after the new privacy rules.

In the News: Malvertising campaign running on 120 ad servers has affected millions of devices

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>