Apple AirDrops can leak contact details, as they have a couple of privacy weaknesses that the company has failed to address in spite of solutions being offered.
According to a bug-hunting team at Technische Universität Darmstadt in Germany, they have discovered a number of vulnerabilities in Apple’s iOS and macOS over the air file sharing service.
Their findings suggest senders and receivers may end up leaking their contact details in the process. With more than a billion active iPhones at any one time, it is a huge security risk. Apple has failed to issue a fix after the team informed them in May and even offered to suggest ways to address it later in October 2020.
How does the AirDrop Leak Contact Details?
AirDrop sets up a TLS-encrypted direct peer-to-peer Wi-Fi connection between Apple gear for sharing files. Airdrop uses the proprietary Apple Wireless DirectLink, a proprietary Wifi link layer protocol, and Bluetooth connections, these were manipulated by the researchers to obtain the victim’s contact details i.e. their phone number and email address.
When you try to connect an AirDrop to send or receive a file the sender transmits over the air a message containing a hash or digital fingerprint. It includes the user’s email address or phone number which is required for authentication handshake which the receiver recognizes and transmits back the hash.
What is wrong with AirDrop?
Apple is using a 20-year-old SHA-256 algorithm to perform the hashing. Hashing function should act as a form of one-way encryption which sadly the SHA-256 fails to do. As a result of this, researchers were able to crack the SHA-256 hash of AirDrop to collect user’s phone numbers.
It is not easy to break the email address hashes, though bad actors can use databases of leaked email addresses and dictionary attacks on @gmail.com, @yahoo.com, and similar addresses to relatively quickly reverse an email address hash to the original.
Christian Weinert, of the university’s Cryptography and Privacy Engineering Group, told internet media, “We don’t have concrete numbers on email hash cracking time, but look at the Facebook leak: there are over 500 million addresses that could be used. There are also online services that will do this for you.”
How can Hackers Exploit AirDrop vulnerabilities?
There are two possibilities
- Hackers can set up a system to listen out for iPhones, iPads, and Macs scanning for nearby AirDrop-enabled devices. After scanning the area it will send out a message containing users’ contact information as a hash. This can be recorded and cracked. This contact information can later be used for spear phishing in a targeted environment.
- Hackers may choose to work in a targeted environment to figure out an email address or phone number likely to be recognized by nearby devices. For example, the boss’s office phone number. The hackers can send AirDrop requests to a receiver in the vicinity and send that common contact detail as a hash in a handshaking message. The hashed contact details are recognized by the nearby receivers who reply with a message containing their contact details as hashes. Walla, now you can determine the email addresses and phone numbers of surrounding AirDrop-capable devices from harvested hashes and use them for spear-phishing purposes.
The chances of these happening in real-world scenarios are obscure. Something the general public need not have to worry about, but annoying nonetheless.
Darmstadt team’s paper [PDF] on the above is now published. It will later be presented at the USENIX Security ’21 conference in August.
Apple has received the full copy of the paper and said it appreciated “the updates and working with researchers such as yourself.”