Ars Technica has the initial report on Thursday, outlining what researchers have discovered regarding the wireless sharing feature. According to the findings, the security flaw within AirDrop makes it possible for anyone with a laptop and scanning software to ascertain the phone number of the sharing device.
And when it’s used against a Mac? The hardware can then share that device’s MAC address through the security flaw.
Hexway’s report includes proof-of-concept software that demonstrates the information broadcast. Errata Security CEO Rob Graham installed the proof-of-concept on a laptop that was equipped with a wireless packet sniffer dongle, and within a minute or two he captured details of more than a dozen iPhones and Apple Watches that were within radio range of the bar where he was working.
Unfortunately, the researchers say this is a pretty common security flaw as it comes to fruition as a company tries to find a balance between ease of use and security/privacy:
This is the classic trade-off that companies like Apple try to make when balancing ease of use vs privacy/security,” independent privacy and security researcher Ashkan Soltani told Ars. “In general, automatic discovery protocols often require the exchange of personal information in order to make them work—and as such—can reveal things that could be considered sensitive. Most security and privacy minded folks I know disable automatic discovery protocols like AirDrop, etc just out of principle.
As for taking advantage of the security flaw, it turns out it’s pretty easy, even if Apple has tried to remove the danger:
In the event someone is using AirDrop to share a file or image, they’re broadcasting a partial SHA256 hash of their phone number. In the event Wi-Fi password sharing is in use, the device is sending partial SHA256 hashes of its phone number, the user’s email address, and the user’s Apple ID. While only the first three bytes of the hash are broadcast, researchers with security firm Hexway (which published the research) say those bytes provide enough information to recover the full phone number.
The password sharing feature can lead to the same results:
You just have to choose a network from the list, and your device will start sending Bluetooth LE requests to other devices asking them for the password. How does your friend know that the person requesting a password is you? Broadband BLE requests contain your data, namely, SHA256 hashes of your phone number, AppleID, and email. Only the first 3 bytes of the hashes are sent, but that’s enough to identify your phone number (actually, the number is recovered from HLR requests that provide phone number status and region).
The full report is certainly worth a look, especially if you find yourself using AirDrop fairly frequently while out in public.
You can also check out the AirDrop vulnerability just below:
How important do you think these types of security flaws are for Apple as a company, and for the device owners out there in the wild? How often do you use AirDrop?