Apple loves to boast about its commitment to user privacy and security, but there’s a pink elephant in the room: AirDrop. Researchers from Technische Universitat Darmstadt discovered a vulnerability in the file-sharing feature that exposes your phone number and e-mail address to strangers.
Hackers only need two elements to tap into your personal data via AirDrop: Wi-Fi connectivity and proximity to your device.
How AirDrop exposes your personal data
Apple’s AirDrop is quick and convenient way to share files with other nearby Apple users. As long as you’re on a iOS, iPadOS or MacOS, you can wirelessly send photos, videos, music, documents and more. According to TU Darmstadt investigators, by default, AirDrop only shows receiver devices from address book contacts by using a “mutual authentication mechanism” that cross references users’ phone number and email address entries.
Investigators, however, discovered a flaw in Apple’s hash functions, which is supposed to conceal and obscure personal data exchanged during the AirDrop discovery process. “Hashing fails to provide privacy-preserving discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks,” the TU Darmstadt report said.
Researchers suggest alternative to AirDrop: PrivateDrop
TU Darmstadt researchers concluded that AirDrop has a “severe privacy leak,” but this doesn’t mean Apple should eradicate AirDrop completely. Instead, the investigators propose an alternative called “PrivateDrop,” which is runs on “optimized, cryptographic private set intersection protocols” that plugs all the security vulnerabilities that currently plagues AirDrop.
PrivateDrop ensures that personal data isn’t exchanged with vulnerable hash values. There is a slight delay with PrivateDrop for authentication and tightened security, but the lag is less than a second.
TU Darmstadt researchers informed Apple about AirDrop’s privacy vulnerability in May 2019, but they received radio silence from the Cupertino-based tech giant. “Apple has neither acknowledged the problem nor indicated that they are working on a solution,” the report said.
How to turn off AirDrop discovery
The AirDrop privacy leak affects 1.5 billion Apple devices. For now, the best way to keep malicious actors at bay is to disable AirDrop discovery. Here’s how to do it:
- Open the Control Center by swiping up.
- Long press the top-left group of icons.
- Tap on “AirDrop.”
- Tap “Receiving Off.”
This will ensure that your device is undiscoverable to hackers seeking to exploit AirDrop’s vulnerabilities.