Apple has made user privacy a priority for years, pushing even further with its latest iOS update by forcing all app developers to ask iPhone owners if they want to be tracked. These are positive steps toward putting users in control of their data, but according to a new report from security researchers at Germany’s Technical University of Darmstadt, Apple has failed to address a flaw that the university says it made the company aware of in 2019.
The security flaw that the researchers discovered is within AirDrop, which is a feature that allows iPhone, iPad, and Mac users to quickly and easily share photos and documents wirelessly. As the researchers note, you can make it so AirDrop only displays devices owned by people who are already in your contacts. In order to determine if someone is in your contacts, “AirDrop uses a mutual authentication mechanism that compares a user’s phone number and email address with entries in the other user’s address book.” This is where the security flaw comes into play.
Here is what the researchers found when they looked at this mechanism:
As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.
The discovered problems are rooted in Apple’s use of hash functions for “obfuscating” the exchanged phone numbers and email addresses during the discovery process. However, researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.
The research team that found this vulnerability actually developed an alternative solution called “PrivateDrop” which they believe could replace the system Apple currently uses. As the team explains, “PrivateDrop is based on optimized cryptographic private set intersection protocols that can securely perform the contact discovery process between two users without exchanging vulnerable hash values.” With the new system, AirDrop would be more secure, and Apple wouldn’t be sacrificing any of the speed that makes AirDrop such a useful feature.
Unfortunately, it’s unclear when or if anything will ever be done about this issue. The German researchers say that they first informed Apple about the flaw in May 2019, but the company has yet to acknowledge the issue or announce that it is working on a fix. Therefore, 1.5 billion Apple devices continue to be vulnerable to attacks that exploit this flaw, and the only way to fully protect yourself is to disable AirDrop discovery altogether.
If you want to turn AirDrop off, just head to Settings > General > AirDrop, and tap Receiving Off.