Boffins from the Technical University of Darmstadt, Germany, have discovered a privacy issue in Apple’s wireless file-sharing protocol Apple AirDrop that could expose user’s contact information, such as email addresses and phone numbers.
“A team of researchers from the Secure Mobile Networking Lab (SEEMOO) and the Cryptography and Privacy Engineering Group (ENCRYPTO) at TU Darmstadt took a closer look at this mechanism and discovered a severe privacy leak.” reads a post published by the researchers. “As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.”
AirDrop is a proprietary ad hoc service in Apple Inc.’s iOS and macOS operating systems, introduced in Mac OS X Lion (Mac OS X 10.7) and iOS 7, which can transfer files among supported Macintosh computers and iOS devices by means of close-range wireless communication.
The flaw discovered by the experts could impact owners of more than 1.5 billion Apple devices that are still vulnerable.
The feature allows sharing data with devices from address book contacts. AirDrop protocol leverages a mutual authentication mechanism that compares a user’s phone number and email address with entries in the other user’s address book to determine whether the two users are in contact,
The experts pointed out that an attacker could learn the phone numbers and email addresses of AirDrop users, even if it is not direct contact. The attackers need to have a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.
The flaws identified by the researchers allow an attacker to learn contact identifiers (i.e., phone numbers and email addresses) of nearby AirDrop senders and receivers. Experts discovered that the flaws originate from the exchange of hash values of such contact identifiers during the discovery process, which can be easily reversed by attackers via
brute-force or dictionary attacks
“The discovered problems are rooted in Apple’s use of hash functions for “obfuscating” the exchanged phone numbers and email addresses during the discovery process. However, researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.” continues the post.
The researchers privately reported their findings to Apple in May 2019, then their developed a solution named “PrivateDrop” to address the bug in AirDrop and reported it to the IT giant in October 2020
“We developed a solution named PrivateDrop to replace the flawed original AirDrop design. PrivateDrop is based on optimized cryptographic private set intersection protocols that can securely perform the contact discovery process between two users without exchanging vulnerable hash values.” state the researchers. “Our prototype implementation of PrivateDrop on iOS/macOS shows that our privacy-friendly mutual authentication approach is efficient enough to preserve AirDrop’s exemplary user experience with an authentication delay well below one second. The implementation of PrivateDrop is publicly available on GitHub.“
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Apple AirDrop)