Gate – Gizmodo – Solondais

Apple’s AirDrop feature is a convenient way to share files between company devices, but security researchers with Technische Universitat Darmstadt in Germany they warn that you can share much more than just a file.

According to researchers, strangers can discover the phone number and email address of any nearby AirDrop user. All the bad actor needs is a Wi-Fi device and physical proximity. They can then simply open the AirDrop sharing pane on their iOS or macOS device. If you have this feature enabled, according to their findings, you don’t even have to initiate or engage in sharing to be at risk.

The issue is due to AirDrop’s “Contacts Only” option. Researchers say that to determine whether an AirDrop user is in your contacts, it uses a “mutual authentication mechanism” to link this user’s phone number and email address with someone else’s contact list. Apple doesn’t do this willy-nilly. It uses encryption for this exchange. The problem is that the hash that Apple uses can apparently be easily cracked using “simple techniques such as brute-force attacks.” It’s not clear from the study what level of processing power would be necessary to brute force the shortcuts used by Apple.

Security flaws don’t necessarily mean a company is bad at what it does. Independent security researchers find vulnerabilities all the time, and most large tech companies have a system where you can report these vulnerabilities, fix them, and then disclose them. Many times we only hear about these security threats After the company has already fixed it. What’s disturbing about this case is that TU researchers say they told Apple about this privacy flaw in May 2019. That was almost two years ago, and so far Apple has “not acknowledged the problem or indicated it was working on a fix.” ” .” According to researchers, this means that 1.5 billion Apple gadgets may still be susceptible to this particular flaw.

This is doubly concerning considering that TU researchers said they also presented a possible solution to Apple called “PrivateDrop.” Although they did not provide many details, researchers said PrivateDrop relies on cryptographic protocols that do not rely on the exchange of sensitive hash values. Supposedly, this would provide the convenience everyone loves about AirDrop, with authentication latency “well under one second.”

Gizmodo reached out to Apple for comment but did not immediately receive a response.

Apple Is vocal about how it cares for consumer privacy and the security of its devices. (See: upcoming privacy labels in iOS 14.5, safe enclave on its SoC and more.) However, researchers say that if you don’t want to run the risk, the only solution right now is to disable AirDrop detection in System Settings and refrain from opening the AirDrop sharing panel.

open article in a new tab