Strangers can see the email address and other personal info of AirDrop users due to a security flaw in Apple’s file-sharing system, security researchers say. All that is required for this exploit to take place is physical proximity to an AirDrop user and a Wi-Fi device.
The researchers reportedly disclosed the flaw to Apple in May 2019, but it remains unfixed. That potentially leaves more than 1.5 billion Apple devices vulnerable.
AirDrop gives iPhone, iPad and Mac users an easy way to share photos, documents and other files with nearby devices. It’s convenient, but apparently not as secure as you might think.
According to researchers at Technische Universitat Darmstadt in Germany, the problem stems from the way AirDrop checks to see if a user is a contact. AirDrop compares the phone number and email of a potential recipient with entries stored in the sender’s address book.
Although this data is encrypted, Apple reportedly uses a somewhat weak hashing mechanism. This makes it possible for bad actors to discover the personal information.
The security researchers say they came up with a fix for the AirDrop vulnerability called PrivateDrop. However, Apple still has not fixed the bug — or adopted the proposed solution.
“This means that the users of more than 1.5 billion Apple devices are still vulnerable to the outlined privacy attacks,” the researchers said. “Users can only protect themselves by disabling AirDrop discovery in the system settings and by refraining from opening the sharing menu.”
Apple security measures
For the most part, Apple is very strong when it comes to both privacy and encryption. This was epitomized by the company’s clash with the FBI several years ago over whether to help the Feds break into an iPhone belonging to a suspected shooter.
Cupertino introduced multiple reporting mechanisms by which security researchers can notify flag bugs they find in Apple software. Apple even offers decent rewards in the form of bug bounties. However, the system isn’t flawless. In the past, Apple failed to fix serious bugs in a timely manner.
It remains unclear why it has taken Apple so long to get around to fixing the AirDrop flaw. It is also not apparent whether this vulnerability was ever used in the wild. Even if not, the potentially nasty ramifications mean that it should be patched ASAP. Hopefully Apple will do so in upcoming software updates.