Sensitive Information leaked by Apple Airdrop bug

A team of researchers at a German University have discovered a privacy flaw in Apple’s wireless file-sharing protocol that can result in the disclosure of a user's contact information such as email addresses and phone numbers. The bug can also allow any person within the range of an AirDrop user to viciously install a malicious application on the intended device by sending it through AirDrop.

AirDrop is an “over-the-air” file sharing service that uses Bluetooth and Wi-Fi, and is built into iOS and Mac OS X products. It is a proprietary service of Apple.

While this feature shows only receiver devices that are in users' contact lists by an authentication mechanism that compares an individual's phone number and email address with entries in the other user's address book, the recent discovery nullifies such protections with the help of a Wi-Fi-capable device and by just being in close physical proximity to a target.

How does the AirDrop flaw work?

“As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device,” said Secure Mobile Networking Lab and the Cryptography and Privacy Engineering Group in a press release.

According to the researchers, the core of the problem is rooted in Apple's use of hash functions for masking the exchanged contact identifiers — i.e., phone numbers and email addresses — during the discovery process. Not only can a malicious receiver collect the hashed contact identifiers and unscramble them "in milliseconds" using techniques such as brute-force attacks, but a malicious sender can also learn all the hashed contact identifiers, including the receiver's phone number, without requiring any prior knowledge of the receiver.

In a hypothetical attack scenario, a manager can open a share menu or share sheet from an Apple could use it to get the phone number or email address of other employees who have the manager's contact details stored in their address books.

Affected Versions: The vulnerability affects iOS versions supporting AirDrop from iOS 7 up, as well as Mac OS X versions from Yosemite up.

Source: Norton.com

Remediation:

  • Be vigilant about installing patches from Apple. Upgrade the devices to iOS 9 and OS X 10.11 El Capitan as soon as they become available.
  • Turn off Bluetooth and Wi-Fi unless you are actively using it, if possible. 
  • Limit AirDrop sharing to ‘Contacts Only’.
  • If you don’t use AirDrop at all, you can disable it by swiping up from the bottom of the iOS screen. Tap on AirDrop, and tap on “Off.”