Security firm warns of ‘significant privacy leak’ in AirDrop

German researchers outline flaw in Apple's wireless delivery system that could expose personal data.

Credit: Apple

AirDrop is a convenient way to share files and photos with the people around you, but a team of security researchers is warning that a flaw could allow strangers to steal your personal information even if they're locked out of the system.

The significant privacy leak was uncovered by researchers from the Technical University of Darmstadt in Germany, who claim they informed Apple about the leak nearly two years ago but it still exists. According to the report, the user doesn't even need to share a file to be vulnerable.

As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.

The problem stems from Apple's use hash functions to hide phone numbers and email addresses during the AirDrop discovery process. However, the TU researchers claim that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.

Once the share sheet comes up and AirDrop starts looking for people nearby, your information is exposed and vulnerable to attack, the researchers claim.

Privacy is one of Apple's main focuses with its products, and it goes to great lengths to make sure your personal information isn't shared without your consent. For example, Sign In with Apple uses a private email relay service so companies can't see your personal address.

They developed a solution using optimised cryptographic private set intersection protocols that can securely perform the contact discovery process without leaving personal data vulnerable. The group says that Apple has neither acknowledged the problem nor indicated that they are working on a solution. The researchers will publish their findings in August at the USENIX Security Symposium.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Apple

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Michael Simon

Michael Simon

Macworld.com
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?