AirDrop flaw reveals contact details to strangers nearby

(Pocket-lint) – Apple’s AirDrop feature could expose personal contact details to strangers nearby, a team of researchers said.

The file sharing shortcut, available on iOS, iPadOS, and macOS, allows users to quickly and easily send photos, documents, and more when another Apple device is nearby.

However, computer researchers at Darmstadt Technical University suggested that the feature had a significant security flaw. In the recently published team paper, it is suggested that strangers near Apple devices with AirDrop enabled can remove email address and phone number information.

Despite notifying Apple of the issue in May 2019, no recognition or fix for the flaw has since been rolled out to around 1.5 billion affected devices, according to the team.

Researchers believe the problem stems from several things.

Firstly, when users with the “Contacts only” option set for AirDrop go to initiate an exchange, their Apple device will quietly request phone number and email address data in a nearby Wi-Fi range to see if it matches their address book.

This means that potentially affected users don’t even need to open an exchange to be affected.

Although this contact data is encrypted, researchers also believe that Apple’s security mechanism is weak.

“The problems discovered are rooted in Apple’s use of hash functions to ‘obscure’ phone numbers and email addresses exchanged during the discovery process,” the researchers said.

“The hash fails to provide confidentiality-preserving contact discovery because hash values ​​can be quickly reversed using simple techniques such as brute force attacks.”

The team notes that they were able to fix the flaw with a more secure approach – called PrivateDrop – but, with Apple apparently not responding to the potential fix, suggests users take their own steps to reduce the chances of their contact information falling into the wrong files. bad hands.

They advise users to turn off AirDrop by going to Settings> General> AirDrop> Receive disabled. The feature can then be activated when really needed.

Written by Conor Allison. Originally published on .