Not everything Apple makes “just works” — at least not as intended, anyway.
Security researchers exploring AirDrop, the iOS and macOS feature that lets users wirelessly share files via WiFi and Bluetooth, reported Wednesday on a flaw they say exposes users’ emails and phone numbers. Unless you want every creep on the street to be able to secretly grab your contact info, it’s a bit of a nightmare.
The researchers, a team made up of members of the and the Cryptography and Privacy Engineering Group (ENCRYPTO), claim they alerted Apple to the flaw in May of 2019. However, according to them, the company never responded.
“As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger,” reads Tuesday’s press release. “All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.”
We reached out to Apple to confirm the findings and to ask if indeed it was alerted to the vulnerability in 2019. We received no immediate response.
Notably, this is not the first questionable privacy situation tied to AirDrop. In 2019, researchers discovered that they were able to determine users’ phone numbers based on the partial hashes AirDrop sends out. It’s not clear if that concern was ever addressed by Apple, especially as the vulnerability disclosed this week appears similar in nature.
“The discovered problems are rooted in Apple’s use of hash functions for ‘obfuscating’ the exchanged phone numbers and email addresses during the [AirDrop] discovery process,” explains Tuesday’s press release. “However, researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.”
AirDrop is also notorious for its association with digital harassment. Specifically, harassers used the feature for cyber-flashing — wherein a stranger bombards a victim’s phone with unwanted photos of a sexual or graphic nature — and sending images associated with white supremacists to people just going about their own business in public.
Someone just tried to airdrop a dick pic to my phone in a public space ???? I’m so confused and angry?????
— Julia Beebe (@juliaebeebe) August 26, 2017
Of course, you don’t have to deal with any of this.
It’s not a permanent thing — you can always briefly turn AirDrop back on if you need it for some reason — but disabling the feature will provide you with some peace of mind, and hey, that “just works.”