You can only stay safe by turning off AirDrop discovery in your Apple device’s system settings, research shows.
Two security holes in Apple’s AirDrop feature could allow hackers to access phone numbers and email addresses associated with both the sending and receiving device, reports have found. German researchers. This feature, which allows users to easily transfer files between Mac, iPhone and iPad, is present in more than 1.5 billion Apple devices.
Both vulnerabilities are classified as severe and affect AirDrop’s authentication protocol, according to the article titled PrivateDrop: Convenient Privacy Preservation Authentication for Apple AirDrop and written by a research team from the Technical University of Darmstadt, Germany.
“In particular, the vulnerabilities allow an adversary to know the contact identifiers (ie phone numbers and email addresses) of nearby AirDrop senders and receivers. The flaws come from exchanging hash values of these contact IDs during the discovery process, which can be easily patched using brute force or dictionary attacks, ”the article read.
Stolen credentials could, for example, be used for spearphishing campaigns, or the combination of a phone number and email address could be sold on the dark web, where other cybercriminals could abuse them. malicious purposes.
A cybercriminal who wants to exploit the loopholes would have to be in physical proximity to the victim and have a device with a standard Wi-Fi card in order to communicate using Apple Wireless Direct Link (AWDL). protocol, which is used in AirDrop and AirPlay.
When initiating authentication contact, the sender always shares their own contact credentials using an initial HTTPS POST / Discover message, the recipient offers their contact credentials in the form of an HTTPS 200 response OK to the discovery message, provided it knows the sender’s credentials, usually their phone number or email address.
To access a sender’s contact credentials, the threat actor will have to wait for the target to activate AirDrop and start searching for receivers by opening the AirDrop sharing pane on the victim’s device.
“The target device will freely send a discovery message to any AirDrop receiver found during the previous DNS-SD service lookup. Therefore, an attacker can learn the target’s validation record without any authentication by simply announcing an AirDrop service through multicast DNS (mDNS), ”the researchers explained. Once the attacker gets his hands on the validation record, he can now retrieve hashed contact credentials offline.
Meanwhile, to get a recipient’s contact credentials, all it would need was for the recipient to know the malicious sender.
How to stay safe
To plug the ID leak, the researchers came up with their own solution in the form of a private mutual authentication protocol they dubbed PrivateDrop, which they submitted to Apple in a spirit of responsible disclosure in October 2020. The researchers also informed the Cupertino tech titan in October 2020. May 2019 when they first discovered the Sender ID leak.
however, Researchers said that “Apple has neither recognized the problem nor indicated that they are working on a solution,” leaving users vulnerable to attack.
“Users can only protect themselves by turning off AirDrop discovery in system settings and refraining from opening the share menu,” the research team added.