Apple’s AirDrop can be an incredibly useful utility, but it is possible that you could be sending more than you bargained for, as researchers have found that an attacker could glean the phone number and email of AirDrop users.
the researchers reported this privacy issue in 2019, but a reported 1.5 billion users are still vulnerable as Apple has seemingly done nothing. Earlier this week, researchers at the Technical University of Darmstadt published a blog outlining their findings about AirDrop. To preface, AirDrop allows users to share files with address book contacts. To verify that someone is in an address book, AirDrop uses a “mutual authentication mechanism” to compare a user’s phone number and email with entries in the other user’s address book.
As it turns out, an attacker can gain information just by having a “Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.” This issue stems from how the authentication hashes the phone number and email sent over the air, which could be brute-forced.
In 2019, the researchers who found this problem informed Apple, but they are now reporting that Apple has not acknowledged the problem “nor indicated that they are working on a solution.” Therefore, nearly 1.5 billion Apple device users around the world could be vulnerable to personal data leakage. Until Apple issues a proper fix, the workaround is to disable AirDrop entirely if you are concerned.
