Researchers have demonstrated a security vulnerability in Apple's AirDrop file-sharing tool that can potentially leak a user's private information to malicious third parties. AirDrop is one of the easiest and most reliable ways to share files between Apple devices. However, although the feature is convenient, sending information between devices always poses a risk for both sender and receiver.
Apple introduced the AirDrop feature in 2011 and it has become a popular way to share files, especially among those who take photos regularly and want to share them with friends and family members. AirDrop is a proximity-based method for sharing files and doesn't have a limit on how many files can be shared or how big they can be. Users can limit the feature to work with close contacts, ensuring that it doesn't connect to random strangers. However, even with that setting, there's still a chance that others can access sensitive information about private users.
In 2019, researchers at the Technische Universität Darmstadt discovered the vulnerability with AirDrop and notified Apple about it, but they say the issue has still not been patched and leaves more than 1.5 billion Apple devices at risk. Even if users try to hide their identity from strangers, others can still access their name and email address with the right know-how. The feature's method of obscuring the user's information is apparently easy to reverse using relatively simple methods, including even just brute force hacking. The researchers have not shared how exactly to exploit the flaw to avoid making the threat worse, but they are planning to publish a more detailed paper about it in August.
Trying To Fix AirDrop's Flaw
Unfortunately, without an official patch from Apple for the flaw, users can't do much to fix it themselves. The research specifically tells users that the only way to prevent a leak is to turn off AirDrop discovery entirely and to not open any sharing menu on the device.
Apple's lack of a response is surprising. Last year, the company patched a vulnerability that was hacking the cameras of Apple's devices and it is usually on top of security issues, especially for those that affect consumers. However, having a one- to two-year (and ongoing) gap between discovering a vulnerability and a patch exposes a lot of users to a potential security risk without any fix for the problem.
If users really want to patch the vulnerability, the researchers have also developed a solution called PrivateDrop, which imitates AirDrop's system but fixes the vulnerability. Anyone who uses the solution will be able to enjoy sharing files without the risk of attracting anyone snooping in.
Source: Technische Universität Darmstadt