AirDrop Vulnerability Exposes Users’ Phone Numbers and Email Addresses
Researchers from the Technical University of Darmstadt in Germany have discovered two vulnerabilities in AirDrop that can be used to extract users’ phone numbers and email addresses. The team plans to present their findings in August 2021 at the USENIX conference.
How the Vulnerability Works
These issues are related to the authentication process that occurs at the initial stage of an AirDrop connection. When devices try to discover each other, they determine if they belong to users who know each other by checking if a phone number is in the other device’s contact list. To do this, Apple devices exchange AWDL (Apple Wireless Direct Link) packets, which contain information about the devices and their owners, including technical details and personal data such as phone numbers, Apple ID identifiers, and email addresses. To protect this data from interception, Apple encrypts it using SHA256.
The researchers explain that a device will broadcast these discovery packets in all directions and at any time if AirDrop is enabled. As a result, an attacker in close proximity to the target can use a WiFi card to intercept these messages, then crack the hashed data and recover personal information.
Previous Findings and Expanded Research
The first reports about these issues were published back in 2019, when experts described various methods for recovering information via AirDrop, including phone status, WiFi status, OS version, buffer availability, and more. Now, the same research group has expanded their study, proving that it is also possible to recover other details, including phone numbers and email addresses.
Apple’s Response
The researchers notified Apple of their findings twice, in May 2019 and October 2020, and even suggested the company use a new, customizable protocol called PrivateDrop to prevent such leaks. However, the specialists have not received any response from Apple, and it remains unclear whether the company plans to fix the identified issues.