Apple's AirDrop & Wi-Fi password sharing features can potentially expose critical ID data

Posted:
in iPhone
Wireless features like AirDrop and Wi-Fi password sharing on iPhones, Macs, and other Apple devices can expose exploitable data, according to a recent report -- but there are two easy solutions.

Hexway Wi-Fi sharing exploit


The technologies broadcast a partial cryptographic (SHA256) hash, which can be used to obtain details like an iPhone's phone number or a Mac's static MAC address, said security outfit Hexway. The underlying issue is data packets sent through Bluetooth Low Energy (BLE), which for all Apple devices transmit information such as name, OS version, battery status, and whether Wi-Fi is on.

This is often innocuous and necessary, but could be used by some parties to track people or launch a more serious attack. In one short video, Hexway demonstrated an AirDrop-based exploit that allows someone to send an SMS message to a target.





Attackers may also be able to send their own BLE requests and disguise themselves as devices like AirPods, or force target hardware to share a Wi-Fi password.





The issue is present on all iOS devices from iOS 10.3.1 onwards, Hexway said, though products prior to the iPhone 6s are only sending a limited number of messages instead of a continuous stream. Regardless, the only way of completely mitigating the threat is turning off Bluetooth, which may not be worth it -- especially for people with accessories that depend on wireless, such as headphones or an Apple Watch.

"This behavior is more a feature of the work of the ecosystem than vulnerability," Hexway commented.

Much of this vector of attack is inherent to the BLE protocol, but AirDrop and similar sharing standards slightly expose the vector. It's recommended that Apple users lock down AirDrop as much as they can by setting it to "Contacts Only," or disabling it entirely, since strangers might otherwise be able send harassing images and other files.

The attack is still mostly a targeted one, and most users won't have to worry. There is no evidence that this vector is currently being exploited.

Comments

  • Reply 1 of 14
    GeorgeBMacGeorgeBMac Posts: 11,421member
    "They" will always find a way to get in. 
    Whether or not they do depends mainly on:  How hard they are willing to work based on the value of the prize versus how hard it is to get in, and, the relative difficulty compared to somebody else's system.
    cornchip
  • Reply 2 of 14
    SoliSoli Posts: 10,035member
    I was just talking about AirDrop as a minor security hole this morning. I'm glad this specific threat is being addressed, but this is also nothing that anyone needs to worry about. Sure, Apple should worry about it and work to make these features more secure for the user, but I wouldn't even contact friends and family to have them adjust their AirDrop settings. I say this as someone that has used AirDrop as a way to put illicit files on someone's machine to set them up for a crime they didn't commit… in a thriller I've written.

    Personally, when it comes to personal security, I really wish Apple didn't have any phone numbers show up for calls and texts on the lock screen before the device is authenticated with a passcode after a restart. I find these numbers a lot more revealing than some name I've put in, like Bob.
    edited August 2019 frantisekargonautcornchip
  • Reply 3 of 14
    "Critical data"

    This trend of being obsessed with the exposure of data that is not meaningful in the least is incredibly obnoxious and needs to die.

    Tomorrow's headline: COMPANY CREATES GIANT BOOK OF EVERYONES NAME AND PHONE NUMBER AND MAILS IT TO EVERYONE! OUTRAGE CANNOT BE QUELLED!
    ArloTimetravelerargonautlinkmanJustSomeGuy1watto_cobra
  • Reply 4 of 14
    I don't think I have ever used AirDrop successfully when set to "Contacts Only", only when set to "Everyone" (on my iOS devices). I find it very convenient but I wish that issue would be rectified. 
    cornchipwatto_cobra
  • Reply 6 of 14
    tzeshantzeshan Posts: 2,351member
    If you are concerned, turn Airdrop off all the time. Turn it on only when you want to receive. 
    cgWerkscornchipAppleExposed
  • Reply 7 of 14
    linkmanlinkman Posts: 1,035member
    "Critical data"

    This trend of being obsessed with the exposure of data that is not meaningful in the least is incredibly obnoxious and needs to die.

    Tomorrow's headline: COMPANY CREATES GIANT BOOK OF EVERYONES NAME AND PHONE NUMBER AND MAILS IT TO EVERYONE! OUTRAGE CANNOT BE QUELLED!
    I actually get a slight bit of outrage when I receive one -- what the heck do I need that thing for? It's a total waste of trees and my city doesn't want them for recycling.
    watto_cobra
  • Reply 8 of 14
    linkmanlinkman Posts: 1,035member
    Soli said:
    Personally, when it comes to personal security, I really wish Apple didn't have any phone numbers show up for calls and texts on the lock screen before the device is authenticated with a passcode after a restart. I find these numbers a lot more revealing than some name I've put in, like Bob.
    YMMV on this. That contact named "Amber - FWB" can give away a lot more than something like "555-1234."
  • Reply 9 of 14
    SoliSoli Posts: 10,035member
    linkman said:
    Soli said:
    Personally, when it comes to personal security, I really wish Apple didn't have any phone numbers show up for calls and texts on the lock screen before the device is authenticated with a passcode after a restart. I find these numbers a lot more revealing than some name I've put in, like Bob.
    YMMV on this. That contact named "Amber - FWB" can give away a lot more than something like "555-1234."
    Sure, you can put all sorts of information in the name. You could put "Amber SSN: 010-32-8900" if you wanted. My point is that no personal information should be stated on an iPhone that hasn't had been unlocked so that the biometric is in effect—not that it should instead show the contact name. If I kill the biometrics on my iPhone (by holding down the power button and either of the volume button, hitting the  power button five times, or turning off the device then nothing should appear on the lock screen that is personal information.
    cgWerksAppleExposedwatto_cobra
  • Reply 10 of 14
    seanismorrisseanismorris Posts: 1,624member
    Soli said:
    linkman said:
    Soli said:
    Personally, when it comes to personal security, I really wish Apple didn't have any phone numbers show up for calls and texts on the lock screen before the device is authenticated with a passcode after a restart. I find these numbers a lot more revealing than some name I've put in, like Bob.
    YMMV on this. That contact named "Amber - FWB" can give away a lot more than something like "555-1234."
    Sure, you can put all sorts of information in the name. You could put "Amber SSN: 010-32-8900" if you wanted. My point is that no personal information should be stated on an iPhone that hasn't had been unlocked so that the biometric is in effect—not that it should instead show the contact name. If I kill the biometrics on my iPhone (by holding down the power button and either of the volume button, hitting the  power button five times, or turning off the device then nothing should appear on the lock screen that is personal information.
    I’ve never seen anyone put information into the name field (other than name)... everything is under notes.  Obviously notes should not never be displayed without a password...

    But, when receiving a call not displaying the name and phone number is silly.

    If you want to say you don’t want iMessage (etc) to display on a locked phone, there’s some sense to that.  There’s probably an option somewhere (or should be) to turn that off.
  • Reply 11 of 14
    tzeshantzeshan Posts: 2,351member
    Soli said:
    linkman said:
    Soli said:
    Personally, when it comes to personal security, I really wish Apple didn't have any phone numbers show up for calls and texts on the lock screen before the device is authenticated with a passcode after a restart. I find these numbers a lot more revealing than some name I've put in, like Bob.
    YMMV on this. That contact named "Amber - FWB" can give away a lot more than something like "555-1234."
    Sure, you can put all sorts of information in the name. You could put "Amber SSN: 010-32-8900" if you wanted. My point is that no personal information should be stated on an iPhone that hasn't had been unlocked so that the biometric is in effect—not that it should instead show the contact name. If I kill the biometrics on my iPhone (by holding down the power button and either of the volume button, hitting the  power button five times, or turning off the device then nothing should appear on the lock screen that is personal information.
    I’ve never seen anyone put information into the name field (other than name)... everything is under notes.  Obviously notes should not never be displayed without a password...

    But, when receiving a call not displaying the name and phone number is silly.

    If you want to say you don’t want iMessage (etc) to display on a locked phone, there’s some sense to that.  There’s probably an option somewhere (or should be) to turn that off.
    When Mac wants to update a new version, it does not say what and from who? This is very critical issue. 
  • Reply 12 of 14
    cgWerkscgWerks Posts: 2,952member
    tzeshan said:
    If you are concerned, turn Airdrop off all the time. Turn it on only when you want to receive. 
    Exactly. Airdrop is off, as is Bluetooth most of the time (unless I need it). Unfortunately, now you have to go into settings to do that stuff, instead of the simple Control Center.
  • Reply 13 of 14
    AppleExposedAppleExposed Posts: 1,805unconfirmed, member
    Airdrop should be secure as I believe it will be a good exclusive Apple feature. For example people in China were using the feature during protests.

    Soli said:
    linkman said:
    Soli said:
    Personally, when it comes to personal security, I really wish Apple didn't have any phone numbers show up for calls and texts on the lock screen before the device is authenticated with a passcode after a restart. I find these numbers a lot more revealing than some name I've put in, like Bob.
    YMMV on this. That contact named "Amber - FWB" can give away a lot more than something like "555-1234."
    Sure, you can put all sorts of information in the name. You could put "Amber SSN: 010-32-8900" if you wanted. My point is that no personal information should be stated on an iPhone that hasn't had been unlocked so that the biometric is in effect—not that it should instead show the contact name. If I kill the biometrics on my iPhone (by holding down the power button and either of the volume button, hitting the  power button five times, or turning off the device then nothing should appear on the lock screen that is personal information.

    Very true. Police are now exploiting this on locked iPhones. They'll call from whatever phone number may make your case look bad and use it as "evidence".
    Soli
Sign In or Register to comment.