SECURITY
SECURITY
SECURITY
Security issue in Apple Airdrop allow attackers to steal personal information
A security issue in Apple Inc.’s AirDrop feature can allow an attacker to steal personal information from an Apple user.
Detailed April 21 by security researchers at the Technical University of Darmstadt in Germany, the security issue was first discovered two years ago but despite their contacting Apple in May 2019, the issue still exists.
Using the vulnerability, attackers can learn the phone number and email address of an AirDrop user — even a complete stranger. To do so, all they require is a Wi-Fi capable device and to be in physical proximity to a target. They can initiate the discovery process by opening the sharing panel on an iOS or macOS device.
The issue relates to Apple’s use of hash functions to hide phone numbers and email addresses during the AirDrop discovery process. The researchers claim that the hashing fails to provide privacy-preserving contact discovery because the hash values used by Apple can be “quickly reversed using simple techniques such as brute-force attacks.”
Hashing, in this case, refers to encryption. Apple uses SHA-256 cryptographic hashes, but the issue, as noted by Sophos plc Naked Security, is that there is no “salting” involved. Salting is a process of randomizing data that is used as an additional input to a one-way function that hashes data — an additional layer of protection. Without salting, as in the case with AirDrop, an attacker with a precomputed list of all possible hashes could use the hashed data from AirDrop to look up the number or email address in a hash list and thus “reverse” the cryptography by brute force.
The researchers have created a new cryptographic protocol called “PrivateDrop” to replace the original AirDrop design. It’s based on optimized cryptographic private set intersection protocols that can perform the contact process without exposing vulnerable values.
“So far, Apple has neither acknowledged the problem nor indicated that they are working on a solution,” the researchers concluded. “This means that the users of more than 1.5 billion Apple devices are still vulnerable to the outlined privacy attacks. Users can only protect themselves by disabling AirDrop discovery in the system settings and by refraining from opening the sharing menu.”
A full scientific paper on the researchers findings is set to be presented at the USENIX Security Symposium in August.
Photo: Ann-Kathrin Braun/Technical University of Darmstadt
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
