AirDrop, the functionality this allows Mac and iPhone users transfer files wirelessly between devices, users’ emails and phone numbers are leaking, and little can be done to stop it except turn it off, researchers say .
AirDrop uses Wi-Fi and Bluetooth Low Energy to make direct connections with nearby devices so they can transmit pictures, documents and other things from one ios or macOS device to another. One mode only allows contacts to connect, a second allows anyone to connect, and the last allows no connection.
To determine if a potential sender’s device should connect to other nearby devices, AirDrop broadcasts Bluetooth Ads containing a partial cryptographic hash of the sender’s phone number and email address. If any of the truncated hashes matches a phone number or email address in the receiving device’s address book, or if the device is configured to receive from everyone, both devices will engage. in a mutual authentication handshake over Wi-Fi. During the handshake, devices exchange complete SHA-256 hashes of owners’ phone numbers and email addresses.
Hashes, of course, cannot be converted back into the clear text that generated them, but depending on the amount of entropy or randomness of the clear text, it is often possible to understand them. Hackers do this by performing a “brute force attack”, which throws a large number of guesses and waits for the one that generates the sought hash. The less entropy in the clear text, the easier it is to guess or crack, as there are fewer possible candidates for an attacker to try.
The amount of entropy in a phone number is so minimal that this cracking process is trivial as it takes milliseconds to search for a hash in a precomputed database containing the results of all possible phone numbers in the world. While many email addresses have more entropy, they can also be hacked using the billions of email addresses that have appeared in database breaches over the past 20 years.
“This is an important discovery because it allows attackers to gain some rather personal information from Apple users which, in turn, can be misused for spear phishing attacks, scams, etc. or simply be sold, ”said Christian Weinert, one of the researchers. at the German Technical University in Darmstadt which found the vulnerabilities. “Who doesn’t want to send a message directly, say to Donald Trump on WhatsApp? All attackers need is a Wi-Fi enabled device near their victim.”
In one paper presented in August at the USENIX Security Symposium, Weinert and researchers from the SEEMOO lab at TU Darmstadt devised two ways to exploit vulnerabilities.
The simplest and most powerful method is for an attacker to simply watch for discovery requests sent by other nearby devices. Since the sender’s device always discloses its own hashed phone number and email address whenever it scans for available AirDrop receivers, the attacker only has to wait for nearby Macs to open. the share menu or nearby iOS devices to open the share sheet. The attacker does not need to have the target’s phone number, email address, or other prior knowledge.
A second method works largely in reverse. An attacker can open a share menu or share sheet and see if nearby devices respond with their own hashed details. This technique is not as powerful as the first one because it only works if the attacker’s phone number or email address is already in the recipient’s address book.
Still, the attack can be useful when the attacker is someone whose phone number or email address is well known to many people. A manager, for example, could use it to get the phone number or email address of any employee whose manager contact information is stored in their address books.
In an email, Weinert wrote:
What we call “sender leak” (that is, someone who intends to share a file loses their hashed contact credentials) could be exploited by planting “bugs” (small Wi-Fi enabled devices) in public hot spots or other places of interest.