Apple's AirDrop facilitates the sharing of photos, videos, and presentations between its devices, but a new report suggests that users may be inadvertently sharing more information with digital thieves. A team from Technische Universität Darmstadt in Germany found that hackers can access the phone numbers and email addresses of any nearby AirDrop users through the "contacts only" option.
This option employs a "mutual authentication mechanism" to confirm that both the sender and recipient are on each other's contact lists; however, this can be exploited by hackers within the range of an Apple device to obtain personal information. Although Apple uses encryption when exchanging data, the German researchers found it can be easily breached using "simple techniques like brute force attacks." Despite raising the issue with Apple in 2019, the company has not acknowledged it or indicated that it is working on a solution.
The report notes that approximately 1.5 billion Apple devices may be at risk, allowing attackers to discover the phone numbers and email addresses of AirDrop users—requiring only a device with Wi-Fi and physical proximity to the target, who initiates the discovery process by opening the sharing panel on an iOS or macOS device.
The root of the problem lies in Apple's use of hashing functions to "obfuscate" the exchanged phone numbers and email addresses during the discovery process. However, the team has also developed a solution to the flaw called PrivateDrop, which can be used instead of AirDrop until Apple addresses this security vulnerability. The researchers explained that PrivateDrop is built on encrypted private set intersection protocols, which can securely conduct contact discovery among users without exchanging weak hash values, according to the Daily Mail.
