Old Apple AirDrop Flaw Could Expose Cell Phone Numbers and Emails | Antivirus and Security

O AirDrop it is very useful for facilitating the exchange of files between devices of the Apple, but it is also somewhat dangerous: researchers at the Technical University of Darmstadt, Germany, found that the tool has a security flaw that allows users’ phone numbers and email addresses to be exposed to nearby third parties.

AirDrop (image: Emerson Alecrim / Tecnoblog)

AirDrop (image: Emerson Alecrim / Tecnoblog)

Through AirDrop, you can send photos from your iPhone to an iPad or share them with your friends, for example. The procedure is quick and easy, as long as the devices are physically close.

According to the researchers, the failure is the result of a combination of two factors in this process. The first is the AirDrop Contacts Only setting, which is enabled by default. The second is the use of a relatively weak encryption method during communication.

There are three possible configurations for AirDrop: Inactive Reception, Contacts Only and Everyone. The first disabled the feature, the second allows data exchange only with user contacts and the third enables sharing for any device.

For the Contacts Only option to work, AirDrop uses a mutual authentication mechanism that checks whether a user’s mobile number and email address are in the other person’s contact list. If so, these users will be able to exchange files with each other.

The communication for this procedure is done in an encrypted way. The problem is that the cryptographic function used for this is “weak”, that is, it can be circumvented with some ease.

If the encryption is broken, the data verified during mutual authentication – cell phone number and e-mail – can be collected. And there is no need to initiate a transfer for this. It is enough for an iPhone or other Apple device to check if there is a device nearby for this data to “circulate” in the environment.

Data capture can be done from a nearby Wi-Fi compatible device.

Not that the procedure is easy. The encryption process generates a hash (a sequence of characters generated from mathematical calculations, basically) for each type of information. It is the hashes that are verified during mutual authentication.

However, since phone numbers follow a specific and predictable pattern, an attacker who knows the cryptographic method can create an algorithm that generates hashes based on the telephone format and compiles the results in a list. It is then enough to check if the hash obtained from a device matches any of the records in the list for the corresponding phone number to be identified.

E-mail addresses do not have a standard size, which makes this action difficult, but does not prevent it: if an attacker generates hash lists based on popular e-mail addresses, such as @ gmail.com and @ yahoo.com, may have some success in that task.

Note that these are just a few examples of how the vulnerability can be exploited.

iPhone 12 Mini (image: Emerson Alecrim / Tecnoblog)

iPhone 12 Mini (image: Emerson Alecrim / Tecnoblog)

Apple was informed of the failure in 2019

Researchers at the Technical University of Darmstadt said that Apple was informed of the vulnerability in May 2019 and, although AirDrop has undergone updates since then, this problem remains unresolved.

As an alternative, the researchers proposed an open source project called PrivateDrop that, according to them, mitigates this type of failure and integrates with the AirDrop protocol.

For now, users can only protect themselves from the vulnerability by disabling AirDrop’s discovery function.

With information: Tom’s Guide, 9to5Mac.

Leave a Comment