Apple’s AirDrop feature is a convenient way to share files between the company’s devices, but security researchers from Technische Universitat Darmstadt in Germany are warning that you might be sharing way more than just a file.
According to the researchers, it’s possible for strangers to discover the phone number and email of any nearby AirDrop user. All a bad actor needs is a device with wifi and to be physically close by. They can then simply open up the AirDrop sharing pane on an iOS or macOS device. If you have the feature enabled, it doesn’t even require you to initiate or engage with any sharing to be at risk, according to their findings.
The problem is rooted in AirDrop’s “Contacts Only” option. The researchers say that in order to suss out whether an AirDrop user is in your contacts, it uses a “mutual authentication mechanism” to cross-reference that user’s phone number and email with another’s contacts list. Now, Apple isn’t just doing that willy nilly. It does use encryption for this exchange. The problem is that the hash Apple uses is apparently easily cracked using “simple techniques such as brute-force attacks.” It is not clear from the research what level of computing power would be necessary to brute-force the hashes Apple uses.