Two years ago, a security flaw in the AirDrop feature was disclosed, but nothing has been done to address it.
Back in May 2019, Apple Computer’s AirDrop feature was discovered by cybersecurity researchers to contain a security flaw that leaked personal data. Despite being informed of this serious bug, Apple has not fixed it to date.
The AirDrop feature uses Wi-Fi and Bluetooth Low Energy to facilitate wireless file transfers between devices in the Apple ecosystem. There is some built-in security involving full SHA-256 hashes of the device owners’ phone numbers and email addresses, but hackers have found a way to crack the system using brute-force attacks.
According to the researchers, every time users open a sharing panel on macOS or iOS, they are leaking hashes and disclosing their details. Right now, the only way to prevent this from happening is to set AirDrop’s discovery setting to “no one” in the system settings and to refrain from opening the sharing pane.
Two years of heightened risk
While the AirDrop feature promoted usability, the weakness of its security algorithm was overlooked. One cybersecurity expert noted that, some can argue that the leaked information is still hashed and hard to crack, but today’s abundance of processing power coupled with the lack of high entropy (randomness) in encrypting phone numbers means that brute force methods can crack such hashes in no time.
Commented Boris Cipot, Senior Security Engineer, Synopsys Software Integrity Group: “What is perhaps even more concerning is that this has been a known issue for two years and no publicly-announced efforts have been made to boost the security around this feature. The leaked information including phone numbers and email addresses, used to identify devices to which users connect, can also be used to tie the owner to services or other points of interest they may want to keep private.”
Cipot said that maintaining a well-structured application is a balancing act in the upholding the concept of the “security triangle” which ties functionality and usability together. Such inter-dependencies between these three attributes in software mean that boosting usability and functionality at the expense of security is not acceptable.
In the meantime, researchers had proposed a more secure implementation of AirDrop called PrivateDrop to Apple, without any gratification.