Two security loopholes in Apple's AirDrop feature could let hackers access the phone numbers and email addresses associated with both the sending and receiving device, German researchers have found. The feature, which lets users easily transfer files between Macs, iPhones and iPads, is present in more than 1.5 billion Apple devices.
The two vulnerabilities are classified as severe and affect AirDrop’s authentication protocol, according to the paper called PrivateDrop: Practical Privacy-Preserving Authentication for Apple AirDrop and written by a research team from the Technical University of Darmstadt, Germany.
“In particular, the flaws allow an adversary to learn contact identifiers (i.e., phone numbers and email addresses) of nearby AirDrop senders and receivers. The flaws originate from the exchange of hash values of such contact identifiers during the discovery process, which can be easily reversed using brute-force or dictionary attacks,” reads the paper.
The stolen identifiers could, for example, be used for spearphishing campaigns, or the combination of phone number and email could be sold on the dark web, where other cybercriminals could abuse them for a range of nefarious ends.
A cybercriminal who wants to exploit the flaws would have to be in close physical proximity to the victim and possess a device with an off-the-shelf Wi-Fi card in order to be able to communicate using the Apple Wireless Direct Link (AWDL) protocol, which is used in AirDrop and AirPlay.
During the authentication handshake, the sender always shares their own contact identifiers using an initial HTTPS POST/Discover message, the receiver offers up their contact identifiers in the form of an HTTPS 200 OK response to the discover message, under the condition that they know any of the sender’s identifiers, typically their phone number or email address.
In order to gain access to a sender’s contact identifiers, the threat actor will have to wait until the target turns on AirDrop and starts scanning for receivers by opening the AirDrop sharing pane on the victim's device.
“The target device will freely send a discover message to any AirDrop receiver found during the previous DNS-SD service lookup. Therefore, an attacker can learn the target’s validation record without any authentication by simply announcing an AirDrop service via multicast DNS (mDNS),” the researchers explained. Once the attacker gets their hands on the validation record, they can now retrieve the hashed contact identifiers offline.
Meanwhile, to obtain a receiver’s contact identifiers, all they would need was for the receiver to know the malicious sender.
How to stay safe
To plug the identifier leakage, the researchers suggested their own solution in the form of a private mutual authentication protocol that they dubbed PrivateDrop, which they submitted to Apple in the spirit of responsible disclosure in October 2020. The researchers also notified the Cupertino tech titan in May 2019 when they first discovered the sender identifier leakage.
However, the researchers said that “Apple has neither acknowledged the problem nor indicated that they are working on a solution”, effectively leaving the users vulnerable to attack.
“Users can only protect themselves by disabling AirDrop discovery in the system settings and by refraining from opening the sharing menu,” the research team added.