If you have an iPhone, an iPad, or a Mac, pay attention because a security flaw has been discovered in AirDrop, the function that allows you to share files between Apple devices that are nearby. This error could expose private data on your device, including your phone number and email.
AirDrop is one of the Apple functions most appreciated by users. If it is a tool that allows you to share photos, documents, and other files between the brand’s devices that are nearby, without the need for cables and in a very comfortable and fast way.
Although AirDrop uses various encryption protocols and mechanisms to ensure the security of communications between devices, a team of researchers has discovered a security flaw that can put users’ personal data at risk.
Experts from the Secure Mobile Networks Laboratory (SEEMOO) and the Cryptography and Privacy Engineering Group (ENCRYPTO) of the Technical University of Darmstadt (Germany), who detected the security hole, assure that Apple was informed of this vulnerability in May 2019. Almost two years later, the Cupertino company has not recognized the problem or proposed a solution, leaving more than 1.5 billion users vulnerable to a potential privacy attack.
The team of researchers explains that the problem is a combination of two issues. On the one hand, if the user configures AirDrop only for their contacts, the system has to check if the receiving devices are in the contact book. To do this, AirDrop uses an authentication mechanism that compares a user’s phone number and email address with the other user’s calendar entries. This allows an attacker to know the phone and email of a user just by being nearby and having a device with WiFi capability.
On the other hand, although AirDrop encrypts the data it exchanges, the researchers note that Apple uses a fairly weak and easy to crack hashing mechanism that “can be easily reversed using simple techniques such as brute force attacks.”
Therefore, even if you use AirDrop often, these researchers recommend that you deactivate it while you are not using it. The same advise the National Intelligence Center (CNI), which points out that it is best to have it disabled in a general way, enable it only when we are going to use it, and configure it so that only your contacts can see you and send you files.
