This website is also available in German.
News
01/2024: Chinese Forensic Institute Exploits AirDrop Vulnerabilities to Identify Senders of “Inappropriate Information”
A forensic institute in Beijing and international media (e.g., Bloomberg, CNN, and Ars Technica) report that AirDrop vulnerabilities are actively exploited in China to identify senders of “inappropriate information”. Fundamentally, these attacks exploit Apple’s insecure use of hash functions for “obfuscating” contact identifiers in the AirDrop protocol execution - a major privacy risk that we reported to Apple already in 2019. In more detail, the Chinese forensic experts extract hash values of the senders’ contact identifiers that are retained in log files on the receiver devices. Then, they apply hash reversal attacks based on rainbow tables (as proposed in our proof of concept) to efficiently obtain the contact identifiers in the clear.
04/2021: AirDrop Vulnerabilities in the News
See https://owlink.org/press and https://encrypto.de/news/privatedrop for press reviews.
AirDrop Primer
Apple AirDrop is a file-sharing service that allows users to send photos and other media over a direct Wi-Fi connection from one Apple device to another. As people typically want to share sensitive data exclusively with people they know, AirDrop only shows receiver devices from address book contacts by default. To determine whether the other party is a contact, AirDrop uses a mutual authentication mechanism that compares a user’s phone number and email address with entries in the other user’s address book.
The Problem: Phone Number and Email Address Leakage
We discovered two severe privacy leaks in this authentication mechanism. In particular, we showed that it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. An attacker just requires a Wi-Fi-capable device and physical proximity to a target.
The discovered problems are rooted in Apple’s use of hash functions for “obfuscating” the exchanged contact identifiers, i.e., phone numbers and email addresses, during the discovery process. It is well-known in industry and academia that hashing fails to provide privacy-preserving contact discovery since hash values of phone numbers can be quickly reversed using simple techniques such as brute-force attacks or database look-ups.
Vulnerability #1: Sender Leakage
During the AirDrop authentication handshake, the sender always discloses their own (hashed) contact identifiers as part of an initial discover message. A malicious receiver can therefore learn all (hashed) contact identifiers of the sender without requiring any prior knowledge of their target. To obtain these identifiers, an attacker simply needs to wait (e.g., at a public hot spot) until a target device scans for AirDrop receivers, i.e., the user opens the sharing pane.
After collecting the (hashed) contact identifiers, the attacker can recover phone numbers and email addresses offline. As shown in prior work, recovering phone numbers is possible in the order of milliseconds. Recovering email addresses is less trivial but possible via dictionary attacks that check common email formats such as first.lastname@{gmail.com,yahoo.com,…}. Alternatively, an attacker could utilize data breaches or use an online lookup service for hashed email addresses.
This attack was also independently discovered and published by the Apple Bleee project in July 2019, shortly after our initial responsible disclosure to Apple in May 2019.
Vulnerability #2: Receiver Leakage
AirDrop receivers present their (hashed) contact identifiers in response to the discover message if they know any of the sender’s contact identifiers (e.g., if the receiver has stored the sender’s email address). A malicious sender can thus learn all contact identifiers (including the receiver’s phone number) without requiring any prior knowledge of the receiver – if the receiver knows the sender.
Importantly, the malicious sender does not have to know the receiver: A popular person within a certain context (e.g., the manager of a company) can exploit this design flaw to learn all (private) contact identifiers of other people who have the popular person in their address book (e.g., employees of the company).
Vulnerability #3: Log File Leakage
A forensic institute in Beijing in January 2024 reported that log files on Apple devices retain information related to AirDrop interactions, including the hashed contact identifiers of users who transferred files to the inspected device. We verified that log files containing this information can be obtained using Apple’s Sysdiagnose feature. This only requires the device to be unlocked. Notably, the log files store partial instead of full hash values (40 bit per hash to be precise). Applying hash reversal attacks on such partial hashes can result in finding a few collisions, i.e., multiple phone numbers or email addresses that produce the same partial hash value.
Proof-of-Concept Attacks
We demonstrate attacks exploiting the first two vulnerabilities with a proof-of-concept implementation that is publicly available on GitHub. It combines the efforts of OpenDrop, an open-source AirDrop implementation, with RainbowPhones, an open-source hash cracking utility that is optimized for non-uniform input domains such as mobile phone numbers.
Our Solution: PrivateDrop
We developed a solution named PrivateDrop to replace the flawed original AirDrop design. PrivateDrop is based on optimized cryptographic private set intersection protocols that can securely perform the contact discovery process between two users without exchanging vulnerable hash values. Our prototype implementation of PrivateDrop on iOS/macOS shows that our privacy-friendly mutual authentication approach is efficient enough to preserve AirDrop’s exemplary user experience with an authentication delay well below one second.
The implementation of PrivateDrop is publicly available on GitHub.
Responsible Disclosure
We informed Apple about the privacy issues in May 2019 via responsible disclosure and shared our PrivateDrop solution in October 2020. As of April 20, 2021, Apple has not indicated that they are working on a solution.
This means Apple users are still vulnerable to the outlined privacy attacks. They can only protect themselves by disabling AirDrop discovery in the system settings and by refraining from opening the sharing pane.
Publications
- [HHSSW21a] PrivateDrop: Practical Privacy-Preserving Authentication for Apple AirDrop by Alexander Heinrich, Matthias Hollick, Thomas Schneider, Milan Stute, and Christian Weinert in 30th USENIX Security Symposium (USENIX Security’21). Paper available as pre-print. Implementation available on GitHub.
- [HHSSW21b] AirCollect: Efficiently Recovering Hashed Phone Numbers Leaked via Apple AirDrop by Alexander Heinrich, Matthias Hollick, Thomas Schneider, Milan Stute, and Christian Weinert in 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec’21). Paper available as pre-print. Proof-of-concept attacks available on GitHub.