It turns out that Apple’s AirDrop feature has long leaked users’ personal information.
Researchers found that AirDrop, which allows wireless file transfer between Mac and iPhone, leaked user emails and phone numbers. Moreover, it turns out that you have no choice but to turn off the service to stop it.
AirDrop uses Wi-Fi and Bluetooth Low Energy to establish direct connections with nearby devices so it can easily send pictures, documents, and other items from one iOS or macOS device to another. A mode inside the feature only allows those in your contact list to connect, the latter does not allow everyone to connect, and the last one does not allow any connections.
To determine whether the sender’s device needs to be connected to other nearby devices, AirDrop broadcasts Bluetooth signals that include a partial mix of the sender’s phone number and email address encrypted. If any of the truncated hashes match any phone number or email address in the recipient device’s address book, or if the device is set up to receive from everyone, the two devices negotiate mutual authentication over Wi-Fi. During the handshake, the devices exchange full SHA-256 hashes of their owners’ phone numbers and email addresses.
Of course, Hashes cannot be recycled into the open text that makes them, but depending on the amount of entropy or randomness in the open text, it is usually possible to solve them. Hackers do this by carrying out a “brute force attack”, which continues until they find the text that makes up the hash, which makes numerous predictions and is searched. The less entropy in the open text, the easier it is to predict or decipher because there are fewer likely candidates for an attacker to try.
The amount of entropy in phone numbers is so small that this breaking process is insignificant, as it takes milliseconds to search for a hash in a precalculated database containing the results of all possible phone numbers in the world. While many email addresses have more entropy, they can also be broken using the billions of email addresses that have emerged in database breaches over the past 20 years.
“This is an important finding because it allows attackers to obtain Apple user information that could be misused for targeted phishing attacks, fraud attacks, etc. in later steps,” said Christian Weinert, one of the researchers who found the vulnerabilities at Darmstadt Technical University in Germany. “Who wouldn’t want to send Donald Trump a direct message via WhatsApp? All the attackers need is a Wi-Fi-enabled device near their victim.”
In a statement presented at the USENIX Security Symposium in August, Weinert and researchers from TU Darmstadt’s SEEMOO laboratory devised two ways to exploit vulnerabilities.
The easiest and most powerful method is for an attacker to track reconnaissance requests sent by other nearby devices. Because the sending device reveals its own hashed phone number and email address each time it scans available AirDrop recipients, the attacker only has to wait for nearby Macs to open the sharing menu or the sharing page of nearby iOS devices. The attacker does not need to have a phone number, email address, or any preliminary information about the target.
A second method is largely reversed. An attacker could open a sharing menu or sharing page and see if any nearby devices responded with their hash details. This technique is not as powerful as the first one because it only works if the attacker’s phone number or email address is already in the recipient’s address book.
Nevertheless, an attack can come in handy when the attacker’s phone number or email address is well known to many. For example, an administrator can use this to get the phone number or email address of any employee whose contact information is stored in their address book.
In an email, Weinert wrote:
What we call a “sender leak” (that is, someone who wants to share a file, leaks hashed person identifiers) can be misused by placing “bugs” (small Wi-Fi enabled devices) in public places or other Wi-Fi hotspots.
Let’s say you place such an insect in a conference room or at an event (for example, the Oscars) where politicians, celebrities, or other “VIPs” come together. One of them is that as soon as you open the sharing pane on an Apple device, you can at least have a private mobile phone number.
From a reporter’s point of view, it’s a scenario of what we call a “buyer leak”: Let’s say you’re in email contact with a celebrity to tell a story. Therefore, if the famous person has saved your email address, you can easily get the personal mobile number when you are nearby (for example, during an interview). In this case, the celebrity does not even need to open the sharing pane or otherwise touch its device!
The researchers say they exclusively reported their findings to Apple in May 2019. A year and a half later, they presented Apple with “PrivateDrop,” an overhauled version of AirDrop that uses Private set intersection, a cryptographic technique that allows two parties to communicate without disclosing vulnerable karmas. The PrivateDrop app is available publicly on GitHub.
“Our PrivateDrop prototype application on iOS/macOS demonstrates that our privacy-friendly mutual authentication approach is efficient enough to protect AirDrop’s sample user experience with authentication latency well below a second,” the researchers wrote in a post outlining their work.
Apple has not yet indicated whether it plans to adopt PrivateDrop or use another way to fix the leak. Apple representatives also did not respond to an email asking ArsTechnica to comment on the matter.
This means that every time someone opens a sharing panel on macOS or iOS, they will at least continue to leak hashes that disclose their phone numbers and possibly email addresses. And in some cases, even if the only AirDrop is active, it may be enough to leak these details.
For now, Weinert said, the only way to prevent leakage is to set the AirDrop discovery to “Nobody” in the system settings menu, and also not to open the sharing pane. This advice can be excessive when using AirDrop at home or in other familiar places. When using a computer at a conference or elsewhere in public, it makes more sense.