Apple AirDrop Vulnerability — CyberHoot

Security researchers in Germany have put out a press release about research findings to be presented at Usenix 2021. They presented findings proving that “Apple AirDrop shares more than files”. They stated “We discovered significant privacy leaks in Apple’s file-sharing service.” This article will summarize those leaks for you to determine whether they are significant enough to stop using it. For CyberHoot employees, we feel the protective steps below allow us to continue using it.

For those who don’t have iPhones or Macs, AirDrop is a low latency, encrypted, high-speed Wi-Fi peer-to peer-connection Apple users utilize to share files or photos. This tool is called an AWDL, or Apple Wireless Direct Link. AWDL is largely used through Airdrop, but also while streaming music to your Apple TV via Airplay, or using your iPad as a secondary display with ‘Sidecar‘.

What’s The Issue?

The problem, according to the researchers, comes in the form of AirDrop’s Contacts only mode, where you tell AirDrop not to accept connections from just anyone, but only from users already in your own contact list. Look at the image below to see the settings available for AirDrop:

Just so you know, if you’re setting AirDrop to Everyone, that doesn’t mean that everyone can access your phone without you knowing. You receive a pop-up requesting permission to download the files, which senders can’t bypass. One problem with having Everyone set is that if someone tries to send you a file, the pop-up includes a tiny thumbnail of the file they want to send, so you can make sure it’s not only a sender you trust but also content you want on your device.

That means you can easily be bluejacked, the term for someone sending you an unsolicited picture that you are forced to see in order to decide whether you want to see it.

‘Contacts Only’ Vulnerability

With that being said, Contacts Only seems like the better choice. Although, the Darmstadt researchers found that the two ends of an AirDrop connection agree on whether they consider each other a contact by exchanging network packets that don’t properly protect the privacy of the contact data. Apple simply forgot to salt the cryptographic hashes used to identify each other leading to a reverse engineering vulnerability that can yield phone numbers and email addresses from a target phone.

The Technical Details

The researchers claim that the contact identifiers, which are based on phone numbers and email addresses, are exchanged as SHA-256 cryptographic hashes to protect the original data. Each end converts their own contact data into hashes and compares those against the data sent over from the other, rather than sharing and comparing the original phone numbers and email addresses; meaning they don’t have to reveal their raw contact data upfront to see which contacts they have in common.

Unfortunately, the hashes exchanged are just that, straight hashes, with no password salting involved. This means that if hackers had a precomputed list of all possible hashes for all possible phone numbers, they’d be able to look them up in their hash list and “reverse” the cryptography by sheer brute force.

How To Avoid Exploitation

It’s not easy for hackers to exploit your devices through your AWDL, but that doesn’t mean it won’t happen. CyberHoot recommends the following actions to reduce the likelihood of falling victim:

  • Turn AirDrop off if you aren’t using it.

There’s no need to be discoverable to other AirDrop users all the time.

  • Don’t blindly fall back to Everyone mode if Contacts Only mode keeps failing.

If you’re in a private place with a sender you trust, it’s probably OK, but if you’re in a busy coffee shop or shopping mall, remember that Everyone mode opens you up to everyone else around.

  • Verify The Name Of The Phone You Are Connecting To Before Connecting To It

It is very easy to connect to the wrong phone using AirDrop when you’re in a crowded place such as a stadium, shopping mall. Resist the urge to connect blindly when you run across that old friend on one of these places and wish to share a few pictures. Check the name and proceed carefully.

  • Keep Devices Up To Date

Go to Settings > General > Software Update.

  • Turn Off Bluetooth When Not Using

Previous exploits have needed Bluetooth enabled to turn this into a true zero-click attack. Turn off your Bluetooth when you aren’t using it.

  • If You’re a Programmer — Be Strict With Data

It’s never a bad idea to do additional error and bug checking.

  • Know That Apple Products Are Not Inherently ‘More Secure’

Oftentimes users are under the false pretense that Apple products are secure, virus-free, and are never exploited. It’s critical to be aware that vulnerabilities exist in all devices and to follow the advice above by turning things off when not in use. Read CyberHoot’s ‘ Malware in Macs ‘ article to learn more about Mac’s vulnerabilities.

Sources:

NakedSecurity — Sophos Article

NakedSecurity — Sophos Video

Additional Reading:

Woman Targeted With 120 Images on Public Transit

Malware in Macs

AWDL — Cybrary Term

Originally published at https://cyberhoot.com on May 4, 2021.

A writer for CyberHoot, a cybersecurity company that helps society become more aware and more secure.