Wednesday, June 1, 2022 [Tweets] [Favorites]

AirDrop Contacts Privacy Flaw

Sami Fathi:

Researchers at TU Darmstadt have discovered that the process which AirDrop uses to find and verify someone is a contact on a receiver’s phone can expose private information.

[…]

As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.

The discovered problems are rooted in Apple’s use of hash functions for “obfuscating” the exchanged phone numbers and email addresses during the discovery process. However, researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.

I’m not sure of the status of this issue. The flaw was reported to Apple in 2019, and Fathi’s article is from 2021, but I’ve not heard more about it since.

ikramerica:

[Does] this mean turning on “everyone” is more secure as no matching is attempted?

1 Comment

But isn't it that the initiator need to first send its identification to nearby devices for them to determine if even to accept the call?
Targets won't bother identifying itself to the initiator who is not in the their contacts book, will they?

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment