Security researchers in Germany have put out a press release about research findings to be presented at Usenix 2021. They presented findings proving that “Apple AirDrop shares more than files”. They stated “We discovered significant privacy leaks in Apple’s file-sharing service.” This article will summarize those leaks for you to determine whether they are significant enough to stop using it. For CyberHoot employees, we feel the protective steps below allow us to continue using it.
For those who don’t have iPhones or Macs, AirDrop is a low latency, encrypted, high-speed Wi-Fi peer-to peer-connection Apple users utilize to share files or photos. This tool is called an AWDL, or Apple Wireless Direct Link. AWDL is largely used through Airdrop, but also while streaming music to your Apple TV via Airplay, or using your iPad as a secondary display with ‘Sidecar‘.
What’s The Issue?
The problem, according to the researchers, comes in the form of AirDrop’s Contacts only mode, where you tell AirDrop not to accept connections from just anyone, but only from users already in your own contact list. Look at the image below to see the settings available for AirDrop:
Just so you know, if you’re setting AirDrop to Everyone, that doesn’t mean that everyone can access your phone without you knowing. You receive a pop-up requesting permission to download the files, which senders can’t bypass. One problem with having Everyone set is that if someone tries to send you a file, the pop-up includes a tiny thumbnail of the file they want to send, so you can make sure it’s not only a sender you trust but also content you want on your device.
‘Contacts Only’ Vulnerability
With that being said, Contacts Only seems like the better choice. Although, the Darmstadt researchers found that the two ends of an AirDrop connection agree on whether they consider each other a contact by exchanging network packets that don’t properly protect the privacy of the contact data. Apple simply forgot to salt the cryptographic hashes used to identify each other leading to a reverse engineering vulnerability that can yield phone numbers and email addresses from a target phone.
The Technical Details
The researchers claim that the contact identifiers, which are based on phone numbers and email addresses, are exchanged as SHA-256 cryptographic hashes to protect the original data. Each end converts their own contact data into hashes and compares those against the data sent over from the other, rather than sharing and comparing the original phone numbers and email addresses; meaning they don’t have to reveal their raw contact data upfront to see which contacts they have in common.
Unfortunately, the hashes exchanged are just that, straight hashes, with no password salting involved. This means that if hackers had a precomputed list of all possible hashes for all possible phone numbers, they’d be able to look them up in their hash list and “reverse” the cryptography by sheer brute force.
How To Avoid Exploitation
It’s not easy for hackers to exploit your devices through your AWDL, but that doesn’t mean it won’t happen. CyberHoot recommends the following actions to reduce the likelihood of falling victim:
- Turn AirDrop off if you aren’t using it.
There’s no need to be discoverable to other AirDrop users all the time.
- Don’t blindly fall back to Everyone mode if Contacts Only mode keeps failing.
If you’re in a private place with a sender you trust, it’s probably OK, but if you’re in a busy coffee shop or shopping mall, remember that Everyone mode opens you up to everyone else around.
- Verify The Name Of The Phone You Are Connecting To Before Connecting To It
It is very easy to connect to the wrong phone using AirDrop when you’re in a crowded place such as a stadium, shopping mall. Resist the urge to connect blindly when you run across that old friend on one of these places and wish to share a few pictures. Check the name and proceed carefully.
- Keep Devices Up To Date
Go to Settings > General > Software Update.
- Turn Off Bluetooth When Not Using
Previous exploits have needed Bluetooth enabled to turn this into a true zero-click attack. Turn off your Bluetooth when you aren’t using it.
- If You’re a Programmer – Be Strict With Data
It’s never a bad idea to do additional error and bug checking.
- Know That Apple Products Are Not Inherently ‘More Secure’
Oftentimes users are under the false pretense that Apple products are secure, virus-free, and are never exploited. It’s critical to be aware that vulnerabilities exist in all devices and to follow the advice above by turning things off when not in use. Read CyberHoot’s ‘Malware in Macs‘ article to learn more about Mac’s vulnerabilities.