Used by many iPhone users, AirDrop lets you share a file with another person by simply sending it to that person’s device. As per the research in recent times, AirDrop proved to have an error in the way it checks whether you are on your contact list. iPhone users with AirDrop-enabled can anonymously disclose certain personal information to a stranger. In a recent report, researchers at the Department of Computer Technology at the University of Darmstadt in Germany revealed their discovery of a security loophole in Apple’s AirDrop.
Where is the flaw?
- AirDrop offers three different settings to choose from: Receiving Off: – Feature is simply disabled Contacts Only: – People can only get files from their contacts list Everyone: – People can exchange files with other iPhone or iPad users
- The flaw described by reports lies in their ‘contact only’ settings. File sharing with someone via AirDrop, using the iOS sharing feature and specifying AirDrop as a tool. If someone else’s AirDrop is set to your contacts only, Apple needs to determine if you are on that person’s contact list. To do this, the company uses a verification process that matches your phone number and email address with other people’s entries. To protect your phone number and email address during this process, Apple relies on a hashing function to conceal that information. However, researchers at the university had already discovered that this hashing failed to appropriately protect data privacy. Thus, a clever stranger can undo hash values by resorting to certain strategies, including brute force attacks, thus obtaining your email address and phone number. This error also extends to other devices using AirDrop, including iPads and Macs. “As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users—even as a complete stranger,” the researchers said in the report. In another case, an attacker may reside in a public area and scan for people trying to exploit the iOS Share feature. If AirDrop is set to your contacts only to anyone, the hacker can try various ways to get the email addresses and phone numbers of nearby users. Such personal information may be used for spam, phishing scams, and other types of attacks. To replace the unsafe AirDrop design, researchers say they have developed a solution called “PrivateDrop.” Based on optimized cryptographic protocols, PrivateDrop can quickly and securely determine whether you are on the iPhone user contacts list without exchanging compromised hash values. PrivateDrop is available on GitHub for third-party reviews.
Response from Apple: –
- Investigators say they disclosed a loophole in AirDrop to Apple back in May 2019. So far, Apple has not acknowledged the matter and has not shown any remedial work. In the meantime, researchers are advising users to turn off AirDrop or immediately turn it off after use. To do this on an iPhone or iPad, ‘go to Settings and then General and tap the entry for AirDrop, Turn the setting to Receiving Off.’
By Vedant Soni
Campus Ambassador, WCSF