Some 1.5 BILLION Apple users may be at risk of AirDrop flaw

Apple’s AirDrop makes it easy to share pictures, videos and presentation between its devices, but a new report suggests users may be sharing much more with digital thieves.

A team from Technische Universitat Darmstadt in Germany found hackers can obtain phone numbers and emails of any nearby AirDrop users through the ‘Contacts Only’ option.

The option uses a ‘mutual authentication mechanism’ to confirm the sender and receiver are in each other’s contact list, but this can be used by bad actor in the range of an Apple device to obtain the private information.

Although Apple uses encryption when data is exchanged, the German researchers found it is easily cracked using ‘simple techniques such as brute-force attacks.’
However, the issue was presented to Apple in 2019, but the tech giant has ‘neither acknowledged the problem nor indicated that they are working on a solution.’

The report, according to the researchers, suggests some 1.5 billion Apple devices could be at risk.
‘As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger,’ researchers at Technische Universitat Darmstadt shared in the study.

‘All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.’

The problem is rooted in Apple’s use of hash functions for ‘obfuscating’ the exchanged phone numbers and email addresses during the discovery process.

However, the team also developed a solution to the flaw named ‘PrivateDrop,’ which could be used instead of AirDop until Apple eliminates the vulnerability.
‘PrivateDrop is based on optimized cryptographic private set intersection protocols that can securely perform the contact discovery process between two users without exchanging vulnerable hash values, ‘researchers explain.

‘The researchers’ iOS/macOS implementation of PrivateDrop shows that it is efficient enough to preserve AirDrop’s exemplary user experience with an authentication delay well below one second.’

Apple rarely announces issues with its systems that could be used by bad actors in malicious activity, but sounded the alarm in January when three security vulnerabilities that ‘may have been actively exploited’ by hackers was uncovered.

The tech giant released a statement on its Apple Support page that shows two bugs were identified in Webkit, the browser engine that powers Safari and one in the core operating system, Kernel.

The Kernel flaw was described as a ‘race condition’ that can allow malicious applications to elevate privileges, but the update fixes it with ‘improved locking.’

However, Apple quickly released iOs 14.4 after being notified of the issues that apparently fixed any problems.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s