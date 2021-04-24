



Five German researchers have discovered that Apple’s AirDrop protocol can accidentally leak your email address and phone number to nearby Apple devices. They say Apple is aware of the problem and has vulnerable 1.5 billion devices for almost two years, but adds that there is a possible solution.

“Even a completely stranger can know the phone number and email address of an AirDrop user,” said the website created by the researchers. “Attackers only need physical proximity to Wi-Fi enabled devices and targets.”

“Apple users are still vulnerable,” the site adds. “They can only protect themselves by disabling AirDrop discovery in their system settings and not opening the shared pane.”

How to protect yourself

To make sure you’re not vulnerable to these attacks, you need to set AirDrop to “Receiving Off” on your iPhone or iPad and “Hide it from anyone” on your Mac.

You can turn it off when you’re not using Wi-Fi and Bluetooth, but it’s not clear if doing so will actually turn off AirDrop.

Alternatively, you can have “Everyone” send you an AirDrop file. This is because email addresses and phone numbers will not be exchanged. However, you may see a lot of offensive images sent by other iPhone users.

How AirDrop initiates a connection

When your AirDrop-enabled device is ready to share your files, it will broadcast an encrypted phone number or email address (the one associated with your Apple account) to everything within Wi-Fi or Bluetooth. ..

This is so that you can see if other Apple devices with AirDrop set to “Contacts Only” by default are in your contact list if you want to connect. (Devices with AirDrop set to “Everyone” will not perform this check, but will receive an encrypted phone number or email address.)

Apple devices do not broadcast real phone numbers or email addresses. Rather, they send a “hash” of their values, that is, a long string of text that you get when you run the text through a fixed mathematical algorithm.

For example, phone number 1 (212) 555-1212 with spaces and parentheses removed is taken from the SHA-256 hash algorithm that AirDrop uses as “26321368f6c23510f79a21085024dd5a4f958e6c22dc057a358d1b5a1fc5c932”.

Other Apple devices match those hashes with the hashes of email addresses and phone numbers in their contact list. If they match, those devices will reply to you with their own email and phone number hash.

If you have each other’s contact information in the contact list on both devices, an AirDrop connection is established and you can share files. (Again, the “Everyone” setting skips this check and just shares the file with anyone.)

Sounds good, but there is a problem

The problem is that the hash should be irreversible, but you shouldn’t be able to dial back the hash to get the original phone number or email address. This is different from the actual behavior.

“Cryptographic hash functions cannot hide inputs (called pre-images) if the input space is small or predictable, such as phone numbers or email addresses,” said researchers Alexander Heinrich, Matthias Hollick, and Thomas. Schneider, Milan Stute, Christian Weinert.

Heinrich, Hollick, and Stute have previously worked on ways to attack the technical foundations of AirDrop.

In other words, phone numbers follow a predictable format, so even midrange computers pre-populate a list of all known hash numbers for all possible phone numbers in a particular area code, or as many as 10 billion possible phone numbers. It doesn’t take much time to compile to. In North America.

Hackers put a list of precompiled phone number hashes on their laptop and sit nearby at lunchtime in public places, such as outside the entrance to a large corporate headquarters, when trying to set up an AirDrop share. You can passively collect the number of iPhones. ..

Hackers can also aggressively force other devices to give up their phone numbers. An attacker could initiate an AirDrop share by sending a hash of a phone number that many people are likely to have in their contact list, such as a company’s major exchange number or its HR department number. There is sex.

If you pass an iPhone with that number in your contact list, you’ll get a hash of your phone number.

But what if a stranger knows my cell phone number?

Mobile numbers are (incorrectly) used for password challenges, bank account logins, and two-factor authentication identity verification, so getting the phone numbers of prominent individuals and many owners can cause a lot of damage. There is sex. Of Bitcoin.

Email addresses do not conform to the set length and can contain letters as well as numbers, which makes precompiling hashes a bit more difficult. However, hackers may limit pre-computed hashes to addresses that end in “@ gmail.com” or “@ yahoo.com” or that follow a company’s specific address format.

“Alternatively, an attacker could generate an email look-up table from a data breach or use an online lookup service for hashed email addresses,” the paper said.

Hackers can then collect email addresses in the same way as phone numbers. Research papers state that these email addresses could be used “for fraudulent activities such as (spear) phishing attacks and profits from the sale of personal data.”

The solution presents itself

Researchers in Darmstadt said they had privately told Apple about the May 2019 passive attack scenario and the October 2020 active attack scenario. In July 2019, a second group independently discovered and published the issue of passive attacks.

“Apple hasn’t commented yet on whether it plans to address these AirDrop issues,” the research treatise said. (Tom’s Guide asked Apple to comment. We’ll update this story as soon as we get a reply.)

Researchers have created an open source project called “Private Drop,” which “seamlessly integrates into the current AirDrop protocol stack.”

They told Apple in October that PrivateDrop would fix AirDrop’s data breach issue by replacing hashed phone numbers and email addresses with other values.

