New research has uncovered privacy weaknesses in Apple's wireless file-sharing protocol that could result in the exposure of a user's contact information such as email addresses and phone numbers.
"As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger," said a team of academics from the Technical University of Darmstadt, Germany. "All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device."
AirDrop is a proprietary ad hoc service present in Apple's iOS and macOS operating systems, allowing users to transfer files between devices by making use of close-range wireless communication.
While this feature shows only receiver devices that are in users' contact lists by an authentication mechanism that compares an individual's phone number and email address with entries in the other user's address book, the newly shortcoming defeats such protections with the help of a Wi-Fi-capable device and by just being in close physical proximity to a target.
"When an AirDrop connection is attempted between a sender and a receiver, the sender transmits over the air a message containing a hash, or digital fingerprint, of its user's email address or phone number as part of an authentication handshake," the researchers explained. "In response, if the sender is recognized, the receiver transmits back its hash."
According to the researchers, the core of the problem is rooted in Apple's use of hash functions for masking the exchanged contact identifiers — i.e., phone numbers and email addresses — during the discovery process. Not only can a malicious receiver collect the hashed contact identifiers and unscramble them "in milliseconds" using techniques such as brute-force attacks, but a malicious sender can also learn all the hashed contact identifiers, including the receiver's phone number, without requiring any prior knowledge of the receiver.
In a hypothetical attack scenario, a manager can open a share menu or share sheet from an Apple could use it to get the phone number or email address of other employees who have the manager's contact details stored in their address books.
The researchers said they privately notified Apple of the issue as early as May 2019, and once again in October 2020 after developing a solution named "PrivateDrop" to correct the flawed design in AirDrop.
"PrivateDrop is based on optimized cryptographic private set intersection protocols that can securely perform the contact discovery process between two users without exchanging vulnerable hash values," the researchers noted.
But given that Apple is yet to indicate its plans to fix the privacy leakage, users of more than 1.5 billion Apple devices are vulnerable to such attacks. "Users can only protect themselves by disabling AirDrop discovery in the system settings and by refraining from opening the sharing menu," the researchers said.
The findings are the latest in a series of studies undertaken by TU researchers, who have taken apart Apple's wireless ecosystem over the years with the goal of identifying security and privacy issues.
In May 2019, the researchers disclosed vulnerabilities in Apple's Wireless Direct Link (AWDL) proprietary mesh networking protocol that permitted attackers to track users, crash devices, and even intercept files transferred between devices via man-in-the-middle (MitM) attacks.
Then early last month, two distinct design and implementation flaws in Apple's Find My feature were uncovered that could lead to a location correlation attack and unauthorized access to the location history of the past seven days, thus deanonymizing users.