'Severe' AirDrop exploit could expose email and phone number in highly specific circumstan...

Posted:
in General Discussion
Researchers have demonstrated a theoretical risk of AirDrop sharing an iPhone user's phone number and email address with strangers.

Researchers at Germany's Technische Universitat Darmstadt say AirDrop can reveal a user's phone number and email address to strangers
Researchers at Germany's Technische Universitat Darmstadt say AirDrop can reveal a user's phone number and email address to strangers


For hackers to steal this private information, they would need to perform a brute-force attack or another "simple technique," however. They would need to do this while being in physical proximity to a user with an open share sheet on an AirDrop-enabled Apple device.

While those are highly particular conditions, the researchers at Germany's Technische Universitat Darmstadt believe this vulnerability poses a "severe privacy leak."

"To determine whether the other party is a contact," the researchers wrote, "AirDrop uses a mutual authentication mechanism that compares a user's phone number and email address with entries in the other user's address book."

Although Apple encrypts that information, the researchers say the iPhone maker's hashing technique "fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks."

The security analysts found the AirDrop flaw in 2019. They reported it to Apple that May but never received any confirmation from the Cupertino company.

"So far," said the researchers, "Apple has neither acknowledged the problem nor indicated that they are working on a solution. This means that the users of more than 1.5 billion Apple devices are still vulnerable to the outlined privacy attacks. Users can only protect themselves by disabling AirDrop discovery in the system settings and by refraining from opening the sharing menu."

The researchers published a public warning for the first time on Wednesday.

AirDrop is often the quickest way to transfer content between iPhone, iPad, iPod touch, and Mac. The service debuted on the Mac in 2011 with OS X Lion and on iOS in 2013.




Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.

Comments

  • Reply 1 of 10
    22july201322july2013 Posts: 2,406member
    Which hash algorithm does Apple use for this? The remote article doesn't indicate either. Isn't the main cause of this problem that the hash algorithm is too simple?
    watto_cobra
  • Reply 2 of 10
    I always have Receiving Off unless I am transferring between devices but that’s always done at home. 
    watto_cobra
  • Reply 3 of 10
    mike1mike1 Posts: 2,679member
    "Highly specific circumstances" is definitely an understatement.

    So, a hacker would have to wait around for two people to decide to AirDrop something, then in the seconds the share sheet is open, perform a "brute-force" attack.
    And the most they can get is a phone number or e-mail address?!
    One would have a better chance of winning the lottery than falling prey to this.

    edited April 23 jas99Hank2.0rcfaFidonet127macplusplusapplguyPetrolDavespock1234cornchipbadmonk
  • Reply 4 of 10
    sflocalsflocal Posts: 5,661member
    mike1 said:
    "Highly specific circumstances" is definitely an understatement.

    So, a hacker would have to wait around for two people to decide to AirDrop something, then in the seconds the share sheet is open, perform a "brute-force" attack.
    And the most they can get is a phone number or e-mail address?!
    One would have a better chance of winning the lottery than falling prey to this.

    It's a pretty low-priority exploit for sure, but as Apple always makes privacy a central talking-point about iPhones, I'm glad there are folks out there that find these issues and it will make the iPhone that much better.  

    Ever wonder why only read about Apple security flaws and never one peep about Android security breaches?  It's because Android is such a joke of an OS that it's a wild-west  of security breaches.  It's so prevalent that people consider it a norm.  This is reason-one why I will never move over to Android.  

    Keep up the good work people!
    DnykjpRfC6fnBsdope_ahminecornchipwatto_cobra
  • Reply 5 of 10
    rcfarcfa Posts: 994member
    If this can’t be used as a springboard for privilege escalation, who cares?

    If you have to linger around people for so long that they start airdropping stuff to each other, and manage to hit the short second the sharing dialogue is open, without first being reported as a stalker, you probably know these people well enough to already know their name and phone number…

    …and names and phone numbers used to be in public phone books without significant ill effect.

    So, yeah, nice you found something, but no, it’s nothing to worry about, unless there’s significant more to it than is being reported.

    “Severe” is a massive overstatement. “Severe” are the leaks that Facebook keeps having…
    edited April 23 jas99spock1234watto_cobra
  • Reply 6 of 10
    mknelsonmknelson Posts: 790member
    mike1 said:
    "Highly specific circumstances" is definitely an understatement.

    So, a hacker would have to wait around for two people to decide to AirDrop something, then in the seconds the share sheet is open, perform a "brute-force" attack.
    And the most they can get is a phone number or e-mail address?!
    One would have a better chance of winning the lottery than falling prey to this.

    No, my interpretation is they need to be in proximity of somebody with the AirDrop Share Sheet open and intercept the hashed contact information.

    They can then perform the "brute-force" part in their own time.
    cornchip
  • Reply 7 of 10
    bonobobbonobob Posts: 304member
    sflocal said:
    Ever wonder why only read about Apple security flaws and never one peep about Android security breaches?  It's because Android is such a joke of an OS that it's a wild-west  of security breaches. 
    I read about Android security breaches on Ars Technica with some regularity.  But they cover topics other than Apple.  If I read Android specific sites, I'm sure I would see even more.  What Android sites do you regularly peruse?
  • Reply 8 of 10
    applguyapplguy Posts: 150member
    mike1 said:
    "Highly specific circumstances" is definitely an understatement.

    So, a hacker would have to wait around for two people to decide to AirDrop something, then in the seconds the share sheet is open, perform a "brute-force" attack.
    And the most they can get is a phone number or e-mail address?!
    One would have a better chance of winning the lottery than falling prey to this.

    My first thought reading your comment is could someone be lured into sending or receiving an AirDrop. But at that point you're probably talking to the person and could just ask for their phone number and email.
    spock1234watto_cobra
  • Reply 9 of 10
    markbyrnmarkbyrn Posts: 639member
    I'm sorry folks but Tim Apple is focused on being a Hollywood mogul and security bugs aren't a priority unless they get published in the mainstream press.  BTW, the Ars article on this issue isn't as dismissive.
  • Reply 10 of 10
    normangnormang Posts: 116member
    As noted, this exploit requires a set of conditions that would be hard to find. maybe impossible.  Actually being in range of someone with a open share sheet, how would the hacker know it was open, how long is the setup time, how long does the share sheet need to be open to he hacked and the most they might get is a sole contact name or email address..   give me break, this doesn't even rate IMHO as a problem because virtually impossible to catch someone in those conditions.

    Even the ARS article goes off the deep tech end you really think some self respecting hacker is going sit around and monitor for the this to happen top get a name and email address maybe?  Plus Airdrop needs to be on and they already need in some cases to know who the hacker is  (ie a valid contact on their device) for it work.  Eventually Apple might fix this if someone actually gets hacked this way in reality and knew about it to care.

    watto_cobra
Sign In or Register to comment.