SAWT BEIRUT INTERNATIONAL

| 29 March 2024, Friday |

1.5 billion Apple users may be at risk of AirDrop flaw that lets hackers steal phone numbers, emails

Apple’s AirDrop makes it easy to share videos, pictures and presentation between its devices, but a new report suggests users may be sharing much more with digital thieves, the MailOnline reported.

A team from Technische Universitat Darmstadt in Germany revealed that hackers can obtain emails and phone numbers of any nearby AirDrop users through the “Contacts Only” option.

The option uses a “mutual authentication mechanism” to confirm the sender and receiver are in each other’s contact list, but this can be used by bad actor in the range of an Apple device to have access to the private information.

Although Apple uses encryption when data is exchanged, the German researchers found it is easily cracked using “simple techniques such as brute-force attacks.”

Nonetheless, the issue was presented to the tech giant in 2019, but Apple has “neither acknowledged the problem nor indicated that they are working on a solution.”

The report suggests roughly 1.5 billion Apple devices might be at risk, according to the researchers.

“As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger,” researchers at Technische Universitat Darmstadt shared in the study.

“All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.”

The problem is rooted in Apple’s use of hash functions for “obfuscating” the exchanged phone numbers and email addresses during the discovery process.

But the team also developed a solution to the flaw named “PrivateDrop,” which could be used instead of AirDop until Apple eliminates the vulnerability.

Researchers explain that “PrivateDrop is based on optimized cryptographic private set intersection protocols that can securely perform the contact discovery process between 2 users without exchanging vulnerable hash values.”

    Source:
  • Daily Mail