Researchers Discover AirDrop Security Flaw That Could Expose Personal Data to Strangers

by

AirDrop is a feature that allows Apple devices to securely and conveniently transfer files, photos, and more between each other wirelessly. Users can share items with their own devices, friends, family, or even strangers. The convenience and ease of use, however, may be undermined by a newly discovered security flaw.

airdrop logo
Researchers at TU Darmstadt have discovered that the process which AirDrop uses to find and verify someone is a contact on a receiver's phone can expose private information. AirDrop includes three modes; Receiving Off, Contacts Only, Everyone. The default setting is Contacts Only, which means only people within your address book can AirDrop photos, files, and more to your device.

The researchers discovered that the mutual authentication mechanism that confirms both the receiver and sender are on each other's address book could be used to expose private information. The researchers claim that a stranger can use the mechanism and its process within the range of an iOS or macOS device with the share panel open to obtain private information. As the researchers explain:

As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.

The discovered problems are rooted in Apple's use of hash functions for "obfuscating" the exchanged phone numbers and email addresses during the discovery process. However, researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.

To determine whether the other party is a contact, AirDrop uses a mutual authentication mechanism that compares a user's phone number and email address with entries in the other user's address book.

According to the researchers, Apple was informed of the flaw in May of 2019, and despite several software updates since then, the flaw remains.

Tag: AirDrop

Popular Stories

Generic iOS 19 Feature Mock Light

iOS 19 Leak Reveals All-New Design

Friday January 17, 2025 2:42 pm PST by
iOS 19 is still around six months away from being announced, but a new leak has allegedly revealed a completely redesigned Camera app. Based on footage it obtained, YouTube channel Front Page Tech shared a video showing what the new Camera app will apparently look like, with the key change being translucent menus for camera controls. Overall, the design of these menus looks similar to...
Read Full Article
2024 iPhone Boxes Feature

Apple Changes Trade-In Values for iPhones, iPads, Macs, and More

Thursday January 16, 2025 6:45 am PST by
Apple today adjusted estimated trade-in values for select iPhone, iPad, Mac, and Apple Watch models in the U.S., according to its website. Some values increased, while others decreased. The changes were not too significant, with most values rising or dropping by $5 to $50. We have outlined some examples below: Device New Value Old Value iPhone 15 Pro Max Up to $630 U ...
Read Full Article64 comments
2024 App Store Awards

Apple Explains Why It Removed TikTok From the App Store in the U.S.

Sunday January 19, 2025 6:58 am PST by
Apple on late Saturday removed TikTok from the App Store in the U.S., and it has now explained why it was required to take this action. Last year, the U.S. passed a law that required Chinese company ByteDance to divest its ownership of TikTok due to potential national security risks, or else the platform would be banned. That law went into effect today, and companies like Apple and Google...
Read Full Article237 comments
Generic iOS 18

Everything New in iOS 18.3 Beta 3

Thursday January 16, 2025 12:39 pm PST by
Apple provided the third beta of iOS 18.3 to developers today, and while the betas have so far been light on new features, the third beta makes some major changes to Notification Summaries and also tweaks a few other features. Notification Summary Changes Apple made multiple changes to Notification Summaries in response to complaints about inaccurate summaries of news headlines. For...
Read Full Article28 comments
iOS 19 Roundup Feature

iOS 19 Rumored to Be Compatible With These iPhones

Saturday January 18, 2025 10:28 am PST by
iOS 19 will not drop support for any iPhone models, according to French website iPhoneSoft.fr. The report cited a source who said iOS 19 will be compatible with any iPhone that can run iOS 18, which would mean the following models: iPhone 16 iPhone 16 Plus iPhone 16 Pro iPhone 16 Pro Max iPhone 15 iPhone 15 Plus iPhone 15 Pro iPhone 15 Pro Max iPhone 14 iPhon...
Read Full Article
iPad Pro vs iPhone 17 Air Feature

Here's How Thin the iPhone 17 Air Might Be

Friday January 17, 2025 3:38 pm PST by
For the last several months, we've been hearing rumors about a redesigned version of the iPhone 17 that Apple might call the iPhone 17 "Air," or something along those lines. It's going to replace the iPhone 17 Plus as Apple's fourth iPhone option, and it will be offered alongside the iPhone 17, iPhone 17 Pro, and iPhone 17 Pro Max. We know the iPhone 17 Air is going to be super slim, but...
Read Full Article221 comments
airtag 4 pack blue

AirTag 2 Launching This Year With These 3 New Features

Sunday January 19, 2025 8:11 am PST by
After a four-year wait, a new AirTag is finally expected to launch in 2025. Below, we recap rumored upgrades for the accessory. A few months ago, Bloomberg's Mark Gurman said Apple was aiming to release the AirTag 2 around the middle of 2025. While he did not offer a more specific timeframe, that means the AirTag 2 could be announced by the end of June. The original AirTag was announced...
Read Full Article
apple power beats pro 2

Powerbeats Pro 2 Coming Soon: Apple to Announce Them 'Imminently'

Sunday January 19, 2025 8:25 am PST by
In September, Apple said that it would be launching Powerbeats Pro 2 in 2025, and it appears the wireless earbuds are coming very soon. Powerbeats Pro 2 images found in iOS 18 code In his Power On newsletter today, Bloomberg's Mark Gurman said the Powerbeats Pro 2 are "due imminently." In addition to Apple filing the Powerbeats Pro 2 in regulatory databases last month, Gurman said Apple is...
Read Full Article58 comments

Top Rated Comments

Apple_Robert Avatar
Apple_Robert
49 months ago
This is not good. If Apple was in fact informed specifically about this vulnerability in 2019, I take umbrage with Apple not having taken the proper steps to secure AirDrop.
Score: 12 Votes (Like | Disagree)
dannyyankou Avatar
dannyyankou
49 months ago

According to the researchers, Apple was informed of the flaw in May of 2019, and despite several software updates since then, the flaw remains. We've reached out to Apple for comment and will update this article if we hear back.
I’m sure now that they made this public, Apple will move with more urgency. Apple is usually better fixing security flaws, I’m disappointed.
Score: 9 Votes (Like | Disagree)
Unregistered 4U Avatar
Unregistered 4U
49 months ago

And that is the SIMPLE process. Why is this even news?
Because there’s really very little “security” news that’s even worth reporting, but the researchers still need attention and validation. But, their reports are of the sort that remind me my home has a security hole in that my chimney provides access to my house once you tear down the external facing wall. However, very few people are concerned by or will do anything about this vulnerability. My garage door? COMPLETELY vulnerable to a brute force attack by a tank. Why won’t garage door manufacturers DO anything about this?
Score: 8 Votes (Like | Disagree)
Unregistered 4U Avatar
Unregistered 4U
49 months ago

Yeah that doesn’t sound great. I wonder how many bad actors there actually are out there taking advantage of this loophole though?

Even though this obviously needs to be patched, does anyone seriously believe that any "bad actor" is going to go through this much work so he can sit in a Starbucks and steal someone's phone number? :)
No :) Folks need to remember that their life REALLY isn’t actually all that interesting, anyone interested IN their information is not going to waste time on an AirDrop brute force hack. If they are THAT close and REAAAAAALLLLY want your information, they can readily get access to it using one of the devices below.


Attachment Image
Score: 8 Votes (Like | Disagree)
13astion Avatar
13astion
49 months ago

This is not good. If Apple was in fact informed specifically about this vulnerability in 2019, I take umbrage with Apple not having taken the proper steps to secure Handoff.
It’s AirDrop, not Handoff. The latter is used by ONE user to transfer control or data between multiple devices that are already in their control (and logged into).

AirDrop allows TWO different users logged into TWO devices under their own control to share data. Hence the need for authentication.

And the attack vector is super specific... a black hat *physically nearby* has to try to grab your data while you initiate the AirDrops (and I would guess most AirDrops are small things: a contact card, a photo, a doc... all which take seconds to transfer), and THEN brute force the hashes... for what? A bit of stolen PII?

Yes, it’s *possible* for someone to do this... but *probable*? Naahh. Which is why Apple hasn’t prioritized it. In risk management you have to prioritize the risks by probability and impact... this one is pretty low on both counts.
Score: 7 Votes (Like | Disagree)
ikramerica Avatar
ikramerica
49 months ago

Namely, their email address and telephone number. Not their bank account data, not their social security number. Notice how they obfuscate “PRIVATE DATA OOOH SCARY” from what’s actually shared.

There is a VERY VERY good chance that your “private data” in this case is already on a list some ne’er do well purchased last month… and they didn’t even have to be within AirDrop range to get it! Next they’ll be reporting that
“Folks can gain access to your email address by ASKING you for it. If you fall for the exploit and provide them with your email address THEY WILL HAVE IT!! We reached out to Apple asking if they plan to stop providing email addresses so that people aren’t able to leak them and they looked at us funny and shooed us away.”
I am pretty sure you can get all that juicy data by putting a name in a google search. Plus home address, previous addresses, criminal record, etc.

I do think the odds of someone brute forcing an airdrop in close
proximity to you in order to discover your phone number and email is pretty remote. One assumes that if they are going to all that effort to target you, they already know your name.

One question for the researchers: does this mean turning on “everyone” is more secure as no matching is attempted?
Score: 7 Votes (Like | Disagree)
Read All Comments