The Airdrop feature on Apple devices is very handy for sharing files. But researchers are now pointing out security vulnerabilities that could allow hackers to grab your phone number and email address.
Airdrop: Practical, but also dangerous
Apple users can easily share files such as videos or photos with each other via Airdrop. The function is very practical, but apparently also harbors dangers. Anyone who uses Airdrop could also provide hackers with personal data such as phone numbers or e-mails.
Researchers at the Technical University of Darmstadt are currently warning against this in a paper. 1.5 billion devices worldwide are affected.
How hackers grab your data
The attack on Apple devices is made possible by “Contact Discovery” in Airdrop. Before the file exchange can take place, both devices check whether the other device is known, i.e. whether it is stored in the address book.
Only when both sides confirm this, the exchange of files is possible. Apple uses a direct Wi-Fi connection and Bluetooth for this.
However, according to the researchers, this mutual snooping does not take place via a secure protocol, so that hackers can view personal data at that moment, more precisely the phone number and the e-mail address.
This happens on both the receiver and sender side, which is why the researchers speak of two security gaps in the system.
The attackers do not directly see the data itself, but rather a hash value. However, this can be decrypted relatively easily, say the scientists.
Apple knows the problem
Apple has been aware of the problem since 2019. So far, however, there is no way to close this security gap.
The only way to protect your data from hacker attacks with Airdrop is not to use the function or to deactivate it.
Theoretically, however, it could also be done securely, say the Darmstadt researchers. They themselves have developed an exchange mechanism, Privatedrop, which is based on a PSI protocol and thus also securely protects the user’s data.
The good news is that Apple users can install and use Privatedrop on their devices.