Apple’s AirDrop technology could leak users’ phone numbers and email addresses, according to researchers who first reported the vulnerability to Apple in 2019. AirDrop is Apple’s own wireless technology used to wirelessly share files such as photos and videos via iOS, iPadOS and macOS devices, and was introduced in 2011. It uses both Wi-Fi and Bluetooth to connect wirelessly and exchange files. However, the mutual authentication mechanism used by AirDrop can be misused to steal a user’s phone number and email address.
Researchers at the Technical University of Darmstadt, Germany, have identified a vulnerability that could affect anything Apple users who share files Drops from the plane. The researchers found that the problem is with the use of hash functions that exchange phone numbers and email addresses during the discovery process.
While this is quite worrying, this only affects users under certain circumstances. First, anyone who has set the receive setting to All is at risk. But otherwise, even if your settings are set to Off or Contacts Only if your stock book is open with AirDrop (where the device looks for other devices to connect), researchers say, are at risk.
Apple uses the new SHA-256 hash features to encrypt the phone number and email address of a user using AirDrop. Although the novice could not convert the hashes to clear text, the researchers found that an attacker with a Wi-Fi-enabled device who is physically close can begin the process of decrypting.
A team of five experts from the University’s Secure Mobile Networking (SEEMOO) laboratory and the Cryptography and Privacy Engineering Group (ENCRYPTO) described the vulnerability. paper.
According to the details provided in the document, there are two specific ways to exploit the shortcomings. In one case, an attacker could gain access to a user’s information when they were nearby and open a share page or share menu for their iPhone, iPador Mac. In another case, however, an attacker could open a distribution form or share a menu with their devices and then search for a nearby device to perform a mutual authentication handshake with the corresponding receiver.
The second case is only valid if the user has set AirDrop Discovery to Everyone. This is not as extensive as the first case where someone trying to share a file through an Apple device can be attacked.
In addition to the details of the shortcomings, researchers have developed a solution called “PrivateDrop” that uses encrypted private set crossing protocols to process sharing between two users without exchanging vulnerable hash values.
The researchers also said a opinion that they privately reported an AirDrop bug to Apple in May 2019, although the company did not acknowledge the matter and responded.
AirDrop is a preloaded service for more than 1.5 billion Apple devices, all of which are said to be vulnerable due to a flaw identified by researchers. Apple did not respond to the comment as to whether it would fix the problem while submitting the story.
This is not the first time that AirDrop has been identified as having a safety issue. The service in August 2019 was found there to be a problem This allows attackers to obtain information about the phone’s status, battery information, Wi-Fi status, buffer availability, and operating system version. At the time, AirDrop was also shown to send partial SHA256 spreads from a telephone number, Apple IDand email addresses. The company also did not respond to the finding.
Nevertheless, until problems are officially fixed, Apple users can simply avoid attacking an attacker through AirDrop turning it off when they do not use the feature.