Researchers warn of ‘significant privacy leak’ in AirDrop
German researchers outline flaw in Apple’s wireless delivery system that could expose personal data.
AirDrop is a convenient way to share files and photos with the people around you, but a team of security researchers is warning that a flaw could allow strangers to steal your personal information even if they’re locked out of the system.
The ‘significant privacy leak’ was uncovered by researchers from the
Technical University of Darmstadt in Germany, who claim they informed Apple about the leak nearly two years ago but it still exists. According to the report, the user doesn’t even need to share a file to be vulnerable: “As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Ficapable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.”
The problem stems from Apple’s use of hash functions to hide phone numbers and email addresses during the AirDrop discovery process. However, the TU researchers claim that “hashing fails to provide privacypreserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks”. Once the share sheet comes up and AirDrop starts looking for people nearby, your information is exposed and vulnerable to attack, the researchers claim.
Privacy is one of Apple’s main focuses with its products, and it goes to great lengths to make sure your personal information isn’t shared without your consent. For example, Sign In with Apple uses a private email relay service so companies can’t see your personal address.
They developed a solution using ‘optimized cryptographic private set intersection protocols’ that can securely perform the contact discovery process without leaving personal data vulnerable. The group says that Apple “has neither acknowledged the problem nor indicated that they are working on a solution”. The researchers will publish their findings in August at the USENIX Security Symposium.