Security issue in Apple Airdrop allow attackers to steal personal information
A security issue in Apple Inc.’s AirDrop feature can allow an attacker to steal personal information from an Apple user.
Detailed April 21 by security researchers at the Technical University of Darmstadt in Germany, the security issue was first discovered two years ago but despite their contacting Apple in May 2019, the issue still exists.
Using the vulnerability, attackers can learn the phone number and email address of an AirDrop user — even a complete stranger. To do so, all they require is a Wi-Fi capable device and to be in physical proximity to a target. They can initiate the discovery process by opening the sharing panel on an iOS or macOS device.
The issue relates to Apple’s use of hash functions to hide phone numbers and email addresses during the AirDrop discovery process. The researchers claim that the hashing fails to provide privacy-preserving contact discovery because the hash values used by Apple can be “quickly reversed using simple techniques such as brute-force attacks.”
Hashing, in this case, refers to encryption. Apple uses SHA-256 cryptographic hashes, but the issue, as noted by Sophos plc Naked Security, is that there is no “salting” involved. Salting is a process of randomizing data that is used as an additional input to a one-way function that hashes data — an additional layer of protection. Without salting, as in the case with AirDrop, an attacker with a precomputed list of all possible hashes could use the hashed data from AirDrop to look up the number or email address in a hash list and thus “reverse” the cryptography by brute force.
The researchers have created a new cryptographic protocol called “PrivateDrop” to replace the original AirDrop design. It’s based on optimized cryptographic private set intersection protocols that can perform the contact process without exposing vulnerable values.
“So far, Apple has neither acknowledged the problem nor indicated that they are working on a solution,” the researchers concluded. “This means that the users of more than 1.5 billion Apple devices are still vulnerable to the outlined privacy attacks. Users can only protect themselves by disabling AirDrop discovery in the system settings and by refraining from opening the sharing menu.”
A full scientific paper on the researchers findings is set to be presented at the USENIX Security Symposium in August.
Photo: Ann-Kathrin Braun/Technical University of Darmstadt
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU