AirDrop could be hacked to reveal personal information, researchers say
A privacy gap could let a nearby hacker snag the phone numbers and email addresses of people using AirDrop, say researchers at a German university.
Apple's popular AirDrop feature for sharing files may be vulnerable to hacking attempts, according to security researchers at a German university. In a post published Friday, researchers at Technische Universitat Darmstadt said that a nearby stranger could discover the phone number and email of an AirDrop user because of a privacy gap in the feature.
The issue, reported earlier by Gizmodo, apparently stems from the Contacts Only option in AirDrop, which uses a "mutual authentication mechanism" to check whether a user's phone number and email is in someone else's contacts list, according to the researchers. The information is encoded in hash during this process, but a bad actor in "physical proximity to a target" could pick up the information and quickly reverse the privacy measures using "simple techniques such as brute-force attacks," said the researchers.
The university first informed Apple of the potential vulnerability in May 2019, the researchers said, but the issue hasn't been addressed in subsequent software updates.
The team has put forward its own alternative, called Private Drop, that doesn't "rely on exchanging vulnerable hash values."
Apple didn't respond to a request for comment.