Apple’s reputation for protecting its users has come under threat in recent weeks as shocking revelation after revelation after revelation has hit the App Store. And now a serious new threat has been revealed for the company’s 1.65 billion active iPad, iPhone and Mac/MacBook users around the world.
Research from Germany’s Technical University of Darmstadt has discovered a gaping security hole in AirDrop, Apple’s cross-device file sharing system, that easily allows hackers to access user data. Moreover, the researchers explain that they warned Apple about this flaw almost three years ago and the company has “neither acknowledged the problem nor indicated that they are working on a solution.” And that’s just the start of it.
“As sensitive data is typically exclusively shared with people who users already know, AirDrop only shows receiver devices from address book contacts by default,” explain the researchers. “To determine whether the other party is a contact, AirDrop uses a mutual authentication mechanism that compares a user’s phone number and email address with entries in the other user’s address book.”
On the surface this makes sense, but looking more closely the team discovered: “As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.”
From here, the team found flaws rooted in Apple’s use of hash functions for “obfuscating” the exchanged phone numbers and email addresses during the discovery process: “hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.” At this point, hackers can tap into user data.