



Apple has some enviable features that other platforms, especially Android, are still trying to implement. AirDrop’s simplicity and presumed security is one of them, and it wasn’t until last year that Android’s Nearby Share finally caught up. Unfortunately, AirDrop doesn’t seem to be that secure after all, and the simple act of opening a shared sheet on macOS or iOS is enough to leak a user’s phone number and email address to hackers within range.

More commonly nowadays, AirDrop uses a once novel technique to scan devices using both ad hoc Wi-Fi and Bluetooth to establish connections between devices. Users can choose to share only with their contacts, only with those who have a Mac or iPhone, or not with anyone. Unfortunately, the flaws discovered by security researchers do not even require the actual use of AirDrop to cause the leakage of personal information.

All the user needs to do is start the sharing process to view the shared sheet on macOS or iOS. Behind the scenes, AirDrop actually initiates a scan of your device by broadcasting an encrypted packet of data containing the sender’s phone and email address. The purpose is to see nearby devices where the sender’s contacts are also stored in order to qualify as a recipient.

Unfortunately, the encryption is obviously not very strong, and it’s too easy for a hacker to perform a brute force attack to decrypt a number or email address. Even more worrisome, such a hacker just has to sit and wait for someone with a Mac, iPhone, or iPad to start sharing something to intercept the data. These phone numbers and email addresses can be used in other attacks such as phishing scams.

Researchers reportedly disclosed the vulnerability to Apple in 2019, providing an open source reference implementation of a safer alternative. Apple hasn’t responded so far, and fixing these essential parts of the macOS and iOS experience is probably not that easy.

