Security researchers exploring AirDrop, the iOS and macOS feature that lets users wirelessly share files via WiFi and Bluetooth. on a flaw they say exposes users’ emails and phone numbers. Unless you want every creep on the street to be able to secretly grab your contact info, it’s a bit of a nightmare.
The researchers, a team made up of the Secure Mobile Networking Lab and the Cryptography and Privacy Engineering Group (ENCRYPTO), claim they alerted Apple to the flaw in May 2019. However, according to them, the company never responded.
We reached out to Apple to confirm the findings and to ask if indeed it was alerted to the vulnerability in 2019. We received no immediate response.
“As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger,” reads Tuesday’s press release. “All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.”
Notably, this is not the first questionable privacy situation tied to AirDrop. In 2019, researchers discovered that they were able to determine users’ phone numbers based on the partial hashes AirDrop sends out. It’s not clear if that concern was ever addressed by Apple, especially as the vulnerability disclosed this week appears similar in nature.
“The discovered problems are rooted in Apple’s use of hash functions for ‘obfuscating’ the exchanged phone numbers and email addresses during the [AirDrop] discovery process,” explains Tuesday’s press release. “However, researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.”
AirDrop is also notorious for its association with digital harassment. Specifically, harassers used the feature for cyber-flashing — wherein a stranger bombards a victim’s phone with unwanted photos of a sexual or graphic nature — and sending images associated with white supremacists to people just going about their own business in public.
Of course, you don’t have to deal with any of this.
If you’d rather avoid having your iPhone expose your contact info to creeps and protect yourself from cyber-flashers, you can turn AirDrop off
It’s not a permanent thing — you can always briefly turn AirDrop back on if you need it for some reason — but disabling the feature will provide you with some peace of mind, and hey, that “just works.”