By B.N. Frank
Apple is not having the greatest year. In January, the company warned that its iPhone12 model could cause health emergencies for people with pacemakers and other medical implants.
In February, the company was chastised for its “colossal e-waste timebomb”.
More recently the company has been outed for not doing anything about a huge security flaw in their AirDrop feature.
Apple’s AirDrop leaks users’ PII, and there’s not much they can do about it
Apple has known of the flaw since 2019 but has yet to acknowledge or fix it.
Dan Goodin – 4/24/2021, 11:21 AM
AirDrop, the feature that allows Mac and iPhone users to wirelessly transfer files between devices, is leaking user emails and phone numbers, and there’s not much anyone can do to stop it other than to turn it off, researchers said.
AirDrop uses Wi-Fi and Bluetooth Low Energy to establish direct connections with nearby devices so they can beam pictures, documents, and other things from one iOS or macOS device to another. One mode allows only contacts to connect, a second allows anyone to connect, and the last allows no connections at all.
A matter of milliseconds
To determine if the device of a would-be sender should connect with other nearby devices, AirDrop broadcasts Bluetooth advertisements that contain a partial cryptographic hash of the sender’s phone number and email address. If any of the truncated hashes matches any phone number or email address in the address book of the receiving device or the device is set to receive from everyone, the two devices will engage in a mutual authentication handshake over Wi-Fi. During the handshake, the devices exchange the full SHA-256 hashes of the owners’ phone numbers and email addresses.
Hashes, of course, can’t be converted back into the cleartext that generated them, but depending on the amount of entropy or randomness in the cleartext, they are often possible to figure out. Hackers do this by performing a “brute-force attack,” which throws huge numbers of guesses and waits for the one that generates the sought-after hash. The less the entropy in the cleartext, the easier it is to guess or crack, since there are fewer possible candidates for an attacker to try.
The amount of entropy in a phone number is so minimal that this cracking process is trivial since it takes milliseconds to look up a hash in a precomputed database containing results for all possible phone numbers in the world. While many email addresses have more entropy, they, too, can be cracked using the billions of email addresses that have appeared in database breaches over the past 20 years.
“This is an important finding since it enables attackers to get hold of rather personal information of Apple users that in later steps can be abused for spear phishing attacks, scams, etc. or simply being sold,” said Christian Weinert, one of the researchers at Germany’s Technical University of Darmstadt who found the vulnerabilities. “Who doesn’t want to directly message, say, Donald Trump on WhatsApp? All attackers need is a Wi-Fi-enabled device in proximity of their victim.”
Sender leakage vs. receiver leakage
In a paper presented in August at the USENIX Security Symposium, Weinert and researchers from TU Darmstadt’s SEEMOO lab devised two ways to exploit the vulnerabilities.
High speed internet is safer and more secure with a hard wired internet connection (see 1, 2, 3, 4, 5, 6, 7, 8, 9). Schools worldwide have replaced WiFi with wired internet to protect children and staff. Many families have made the switch as well.
Activist Post reports regularly about unsafe technology. For more information visit our archives.
Provide, Protect and Profit from what’s coming! Get a free issue of Counter Markets today.