Do you use Apple? Well if you do the chances are even if unlike me, you are not a fan of AirDrop, you would have used it a few times if not more. Here is what you need to know about AirDrop flaw.
According to German researchers from Technische Universitat Darmstadt , it’s possible for strangers to discover the phone number and email of any nearby AirDrop user. All a bad actor needs is a device with wifi and to be physically close by. They can then simply open up the AirDrop sharing pane on an iOS or macOS device. If you have the feature enabled, it doesn’t even require you to initiate or engage with any sharing to be at risk, as per their findings.
The researchers say, that the problem is primarily due to the “Contact only” option. In order to find out if the user is in your contacts, it uses a “mutual authentication mechanism” to validate that user’s phone number and emails are in to the contact list. Of course knowing apple this transmission is encrypted, but it can apparently be easily cracked using “simple techniques Brute-Force attacks”
Now having a weakness or flaw doesn’t make a product or organization bad, however what is more worrisome is, that the researchers from Technische also claim that they informed Apple of this flaw back in May 2019 via responsible disclosure which makes it close to two years till now, but since then Apple “neither acknowledged the problem nor indicated that they are working on a solution”.
Researchers also said that they additionally gave Apple a potential solution, “PrivateDrop”. While they didn’t give a huge load of subtleties, the analysts said PrivateDrop depends on cryptographic conventions that don’t depend on trading weak hash esteems. Probably, this would keep up the comfort everybody cherishes about AirDrop, with an auth delay of “well under one second.”
How to stay protected?
To defend yourself against bad actors exploiting AirDrop flaw, please set AirDrop to “Receiving Off” on an iPhone or iPad. If you are using a MAC, select “Allow me to be discovered by No One” and you should be good.
Check our weekly blog to keep you updated around the recent security events.