AirDrop flaw reveals contact details to nearby strangers

Pocket-lint

Apple AirDrop security flaw exposes phone numbers and email address to nearby strangers

By Conor Allison

Published Apr 26, 2021

Researchers claim that Apple's file-sharing feature hands out personal contact information to nearby devices.

Apple

Apple's AirDrop feature could expose personal contact information details to nearby strangers, a team of researchers has said.

The file-sharing shortcut, which is available on iOS, iPadOS and macOS, allows users to quickly and easily send photos, documents and more when another Apple device is nearby.

However, computer science researchers at the Technical University of Darmstadt have suggested the feature has a significant security flaw. In the team's recently published paper, it's suggested that strangers within nearby range of Apple devices with AirDrop turned on can lift email address and phone number information.

Despite notifying Apple of the issue back in May 2019, no acknowledgement or fix for the flaw has since been rolled out to an estimated 1.5 billion affected devices, the team says.

The researchers believe the problem stems from a couple of things.

Firstly, when users with the 'Contacts Only' option set for AirDrop go to initiate an exchange, their Apple device will quietly request phone number and email addresses data within a nearby Wi-Fi range to see if it matches up with their address book.

This means that potentially affected users don't even have to open up an exchange in order to be affected.

Despite this contact information data being encrypted, researchers also believe Apple's security mechanism is a weak one.

"The discovered problems are rooted in Apple’s use of hash functions for 'obfuscating' the exchanged phone numbers and email addresses during the discovery process," the researchers said.

"Hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks."

The team note that they were able to solve the flaw with a more secure approach - referred to as PrivateDrop - but, with Apple seemingly not responding to the potential fix, suggest users take their own action to reduce the chances of their contact details falling into the wrong hands.

They advise users to disable AirDrop by going to Settings > General > AirDrop > Receiving Off. The feature can then be turned on when it's really needed.