For a long time, our easiest option for sharing images and files was to attach them to emails. Advancements were made in texting, and it joined email as a popular sharing mode. Apple then introduced its AirDrop feature, which made it easy to share with people nearby. However, researchers have connected AirDrop to privacy leaks.
AirDrop Privacy Leaks
I’ll admit – I even Airdrop files to myself. If I’m working on a product review and take some photos with my iPhone, they don’t always populate to iCloud quickly enough for me to immediately use them on my iPad Pro. So I just AirDrop them from my iPhone to my iPad. It never even occurred to me that there could be privacy issues when I’m dropping from one of my devices to another.
Researchers at Germany’s Technische Universitat Darmstadt called Apple out for the AirDrop privacy leaks they have found. It turns out you’re not just opening your device to the other AirDrop recipient – you’re opening it to anyone nearby.
AirDrop allows the direct transfer of images, videos, and files between iPhones, iPads, and Macs. By default, the option shows options to devices near you that are being used by your contacts.
A TU blog post explains, “AirDrop uses a mutual authentication mechanism that compares a user’s phone number and email address with entries in the other user’s address book” to determine which available devices belong to your contacts.
But people with a Wi-Fi-capable device can still launch an attack on your device – even if they are a complete stranger. If you launch the sharing option on your device, you become discoverable to an attacker in your vicinity.
Apple uses hash functions to obfuscate the phone numbers and email addresses in the discovery. The researchers learned the hashing process doesn’t provide privacy while it’s discovering nearby devices. The hash values are open to being reversed with brute force and other attacks.
The researchers developed their own solution to the AirDrop privacy leaks. They created “PrivateDrop” to replace AirDrop. The blog post explains it’s “based on optimized cryptographic private set intersection protocols that can securely perform the contact discovery process between two users without exchanging vulnerable hash values.
“The researchers’ iOS/macOS implementation of PrivateDrop shows that it is efficient enough to preserve AirDrop’s exemplary user experience with an authentication delay well below one second.”
Despite the researchers calling the AirDrop privacy leaks to Apple’s attention two years ago, the company has not responded. The researchers believe it puts all Apple device users at risk.
One thing you can do to protect your device is turn the feature off. Go to Settings → General → AirDrop. Make sure “Receiving Off” is selected.
The blog post also suggests not using the sharing menu. But that’s near impossible – at least for my usage. Not through AirDrop – but other apps. I use it constantly throughout my work. However, I work from home 99 percent of the time, so I just need to try to avoid using it on the occasions I’m working in a doctor’s office waiting room or similar, and I’ll be safe.