Apple’s AirDrop Leaks Users’ PII, And There’s Not Much They Can Do About It

Apple’s AirDrop is reported to be leaking users’ PII. Every time someone opens a sharing panel in either macOS or iOS, they’re leaking hashes that, at a minimum, disclose their phone numbers and likely their email addresses, too. And in some cases, just having AirDrop enabled at all may be enough to leak these details. For now, the only way to prevent the leakage is to set AirDrop discovery to “no one” in the system settings menu and to also refrain from opening the sharing pane. Apple has known of the flaw since 2019 but has yet to acknowledge or fix it. 

Subscribe
Notify of
guest
1 Expert Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Boris Cipot
Boris Cipot , Senior Sales Engineer
InfoSec Expert
April 27, 2021 3:02 pm

<p>The concept of the security triangle helps us to understand the relationship between security, functionality, and usability in software. The inter-dependency between these three attributes in software is a balancing act required to ensure a well-structured application.</p> <p> </p> <p>In AirDrop’s case, usability was brought to the highest level of focus. In doing so, it seems that users’ personally identifiable information was leaked to support this usability. Some might argue that the leaked information is still hashed and hard to crack; however, with today’s abundance of processing power and the lack of high entropy in the phone number that is part of the hashed information, even brute force methods can crack such hashes in no time.</p> <p> </p> <p>What is perhaps even more concerning is that this has been a known issue for 2 years and no efforts (none that have been publicly disclosed, at least) have been made to boost the security around this feature. The leaked information including phone numbers and email addresses, used to identify devices to which users connect, can also be used to tie the owner to services or other points of interest they may want to keep private.</p>

Last edited 1 year ago by Boris Cipot
1
0
Would love your thoughts, please comment.x
()
x