AirDrop could be hacked to reveal personal information, researchers say

A privacy gap could let a nearby hacker snag the phone numbers and email addresses of people using AirDrop, say researchers at a German university.

Ty Pendlebury Editor
Ty Pendlebury is a journalism graduate of RMIT Melbourne, and has worked at CNET since 2006. He lives in New York City where he writes about streaming and home audio.
Expertise Ty has worked for radio, print, and online publications, and has been writing about home entertainment since 2004. He majored in Cinema Studies when studying at RMIT. He is an avid record collector and streaming music enthusiast. Credentials
  • Ty was nominated for Best New Journalist at the Australian IT Journalism awards, but he has only ever won one thing. As a youth, he was awarded a free session for the photography studio at a local supermarket.
Ty Pendlebury

AirDrop is a fast, simple way to transfer files, photos, videos and more from one Apple device to another.

Charles Wagner/CNET

Apple's popular AirDrop feature for sharing files may be vulnerable to hacking attempts, according to security researchers at a German university. In a post published Friday, researchers at Technische Universitat Darmstadt said that a nearby stranger could discover the phone number and email of an AirDrop user because of a privacy gap in the feature. 

The issue, reported earlier by Gizmodo, apparently stems from the Contacts Only option in AirDrop, which uses a "mutual authentication mechanism" to check whether a user's phone number and email is in someone else's contacts list, according to the researchers. The information is encoded in hash during this process, but a bad actor in "physical proximity to a target" could pick up the information and quickly reverse the privacy measures using "simple techniques such as brute-force attacks," said the researchers. 

The university first informed Apple of the potential vulnerability in May 2019, the researchers said, but the issue hasn't been addressed in subsequent software updates. 

The team has put forward its own alternative, called Private Drop, that doesn't "rely on exchanging vulnerable hash values."

Apple didn't respond to a request for comment.