Apple’s AirDrop is vulnerable to private data leak: Researchers

Apple’s AirDrop technology is extremely convenient for anyone in the Apple ecosystem. It allows sharing files such as photos and videos wireless across iOS, iPadOS, and macOS devices. The proprietory tech uses both Wi-Fi and Bluetooth to establish a wireless connection and exchange files. It is being reported that the tech is vulnerable to data leaks and that it could leak users’ phone numbers and email addresses.

According to researchers from Germany’s Technical University of Darmstadt (via Gadgets360), AirDrop has a vulnerability that could impact Apple users. It is said that the problem exists within the use of hash functions. For the unaware, hash functions exchange phone numbers and email addresses during the discovery process. However, not all users are affected. That said, anyone who has set their receive settings to Everyone is at risk.

As per the researchers, if you have your settings set to Off or Contacts Only and if you have your share sheet open with AirDrop to look for other devices to connect, you are at risk.

How does this AirDrop vulnerability work?

Apple uses the novel SHA-256 hash functions to encrypt your private data such as phone number and email address while using AirDrop. These hashes can’t be converted into the cleartext by a novice. However, according to the researchers, an attacker who has a Wi-Fi-enabled device and is in physical proximity can initiate a process to decrypt the encryption.

There are two specific ways to exploit the flaws. First, the attacker could gain access to the user details once they are in proximity and open the share sheet on their Apple device. Secondly, the attacker could open the share menu and then look for a nearby device to perform a mutual authentication handshake with a responding receiver. However, this case is only valid if you have set the discovery of your devices on AirDrop to Everybody.

The post Apple’s AirDrop is vulnerable to private data leak: Researchers appeared first on Pocketnow.



* This article was originally published here

Comments