AirDrop also shares your full name (seemingly the one associated with your Apple ID, not what you have set for yourself in your contacts), both by displaying it in the sharing interface on the involved devices and by attaching it as an extended attribute to uploaded files.
The latter is more serious imo, because those attributes live on your file system basically for ever, and they're preserved when transferring to another compatible file system or even when archived in a zip file. The meta-data can ride along with the files to completely unrelated systems even years after the fact. So if you AirDrop some files to your computer and then zip them up, anyone you send that zip to (a journalist, a public file-hosting site, w/e) will have your full legal name to go with them.
Even sharing your name through the interface seems questionable -- the fact that you and another person have each other's phone numbers is not necessarily an indication that you want to share your real names with each other. (Though i guess someone could usually find it out anyway if they already had your phone number.)
I reported this to Apple, but i don't think they care. Seems like it's by design.
Isn't that name editable on your Apple ID page? That name is also not part of your financial data on the iPhone (which usually involves your real name).
What do you think about editing the title to indicate AirDrop has security issues? When I clicked I thought it was going to be about what all I can share using airdrop lol
Interesting. I just read the title and assumed it was talking about security issues. Since we all know AirDrop can share files (what it was intended for), presumed this meant it's also sharing some data/privacy issues unbeknownst to us.
I even work in the field of security most of the time, and while I suspected it might have something to do with security, I assumed that even then it was going to be someone who simply was annoyed you could send an executable or a PDF with an exploit over AirDrop, as opposed to metadata ;P.
Looking at the article I would say the actual title presented is "Apple AirDrop shares more than files:
TU-Researchers discover significant privacy leak in Apple's file-sharing service", but that's a bit long for a HN title. I'm not sure what the policy is on using the subtitle (TU-Researchers discover significant privacy leak in Apple's file-sharing service) if it's more descriptive, but I think it would make sense in this case.
The rule is to use some substring present on the page. So long as you don't make up something that editorializes picking a different title is encouraged.
One explanation is that Apple has sat on this for 2 years, knowing this is a serious security bug. Another explanation is that they just don't think it's that serious. The article states-
> The discovered problems are rooted in Apple's use of hash functions for “obfuscating” the exchanged phone numbers and email addresses during the discovery process. However, researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.
The post that they then linked to is about how, by hashing random phone numbers, you can effectively de-anonymise users of popular messaging apps.
So you'd need to be in physical proximity to the person, and what you're getting is details like your phone number which aren't especially private anyway (they literally need to be given to people to be of any use). It's far from the dragnet-level issue facing Signal & Whatsapp and others.
I don't know, but that doesn't seem like an especially serious issue to me. It seems just like a research group trying to make some hype for themselves.
Not sure how much is required to brute force these, but AirDrop has been used in notably sensitive situations like the Hong Kong protests[1], where I’m sure anonymity was assumed.
Proximity doesn’t mean I would like to share my phone number. Seems like an unlikely attack day-to-day, but one with definite privacy and personal safety concerns.
If the state where you live wants to know if you've been at a protest, they have more efficient ways of figuring that out than sending someone out to walk around, trying to collect AirDrop IDs. That should be the least of your worries.
I mean sure, I'm not saying there's no issue here. But it certainly isn't 'huge' either.
It sounds like a metadata situation where collecting AirDrop IDs is another piece of the puzzle that helps build a complete data profile of individuals. It may not be a huge issue, but it’s certainly not a small one.
If I turn off my phones LTE radio, and wear face coverings, how exactly would a state track me? Its said that Apple tries to randomize MACs of all the radios as much practically possible. What's the spin here?
If I were seriously trying to avoid tracking, you can bet my phone would have its very own tin foil hat. I don't trust "airplane mode" to not still have some radio active, but I trust physics.
Citation needed. The state is far less organized and competent than you think if the US is any indication. Planes were flown into skyscrapers and government facilities and we had zero defenses in place. A global pandemic occurred and we had no plan, PPE or ventilator supply and could not mobilize our infrastructure to respond. Thousands descended on the Capitol building and took selfies during a violent overthrow attempt and the FBI has no idea who the majority of them were, depending on internet tips to identify them.
> Planes were flown into skyscrapers and government facilities and we had zero defenses in place.
The FBI had certain groups under watch but didn't act on it. For a variety of reasons. This continues today - the FedEx shooter was well known to law enforcement but wasn't acted on. Instead of talking about how we can solve that problem, the media and people probably like you screech about restricting rights of everyone else (gun control?) instead :p
> A global pandemic occurred and we had no plan, PPE or ventilator supply and could not mobilize our infrastructure to respond.
We built massive temporary hospitals in NYC, sent a floating hospital up to NYC and instead of using those for the elderly, the NY governor sent the infected elderly back to nursing homes where the most vulnerable are. They also sent non-elderly to nursing homes too. There at least was some reporting about a violent 30 something homeless guy sent to a nursing home that assaulted elderly residents but it was pretty minimal and blew over quickly. There were mobilized responses - they were incompetent mobilizations. But why talk about that - maybe because most of disproportionate nursing home death rates happened predominantly in blue states? God forbid someone draw attention to that! Quick - more handwaving about "lack of mobilization" is needed!
Ventilators - we produced thousands of emergency ventilators that sat in warehouses waiting for a crises that never materialized. Then as we got more experience we learned ventilators actually make things worse and it's better to just change people's resting position. However those facts are not nearly as sexy or politically expedient as being able to blame the other side for lacking to produce something, so we still have people fixating on the non-existent ventilator crises to again deflect from other incompetence and also justify further "fixes".
> Thousands descended on the Capitol building and took selfies during a violent overthrow attempt and the FBI has no idea who the majority of them were, depending on internet tips to identify them.
lol - and the most preposterous propaganda of the year award. Entire city blocks repeatedly burning down over the summer during "mostly peaceful protests" and one incident started WHILE TRUMP WAS STILL SPEAKING is the end of western democracy as we know it. Yup. Trump lead. So violent that there were no fires. No statues toppled. No walls or paintings spray painted. All things that routinely happed in many American cities over and over for over a year but was hand waved off.
Indeed, the vast majority of people "insurrecting" were walking between the velvet ropes taking pictures, smiling, chatting with the capital police. Several videos show the same capital police holding the doors open for them - but it was a violent insurrection.
You see I watched most of it live from various streamers as it happened. I didn't just watch the carefully crafted media narrative. Yes there were some bad actors, but the cognitive dissonance and utterly disproportional response between what happened in those four hours vs. the entire year before is off the charts. If that was a violent insurrection and what happened over the summer were just mostly peaceful protests then we have gotten to levels of absurd gaslighting that even Orwell couldn't have imagined.
>The state is far less organized and competent than you think if the US is any indication.
Thank you for providing the biggest reason socialized medicine is an utterly ridiculous and downright scary proposition. Given your other positions this is a refreshingly frank take.
I know HN isn't supposed to be about politics, but I want to thank you for presenting a well reasoned response. It's given be a lot to think about and realise how media is manipulated and biased.
In the old days they used to print giant books of these "phone numbers" and drop them on your neighbours porches. Odd how things that were common are now security risks.
In Australia you have to pay extra for this feature, like $3/month, and extra for caller ID blocking, but cell numbers get unlisted status for free. I haven't had a landline for a decade. Is this still the case in the US?(https://www.motherjones.com/kevin-drum/2010/08/unlisted-phon...)
Makes me wonder how sparse phone numbers would have to be to make spam impractical. Would people use long virtual numbers? Imagine if your friends had your 64 digit phone number, and you would know it was a non spam inbound caller.
Or even better, TOFU, like a Signal call. Or just a Signal data channel over LTE.
Depends how easy this is to do on the fly. Lots of people thinking about it like it's a spy thriller. But could a creep with a laptop use it to harvest phone numbers from random school girls that they like the look of in starbucks? Not sure I would like my kids to experience this.
That's what I thought too since the AirDrop protocol, as mentioned in the article, doesn't even share any of that hashed info unless a user opens the share sheet to initiate an AirDrop transfer.
To me, that means that if I was going to attack someone using this exploit, I would need to sit there all day until someone used AirDrop to send something and then I'd need to make sure to have my attack planned out in advance so that I could then use that information to do something useful.
The chances of that actually happening to some detriment are so small, in my eyes.
> So you'd need to be in physical proximity to the person, and what you're getting is details like your phone number which aren't especially private anyway
Once you know the phone number, you would then be able to track an iOS device's location if it's in "contacts only" discoverability mode for AirDrop, right?
Details are nice. Sure, I'll take your statement that AirDrop hashes aren't as robust as they should be at face value, but I'm going to need you to provide more information. Of course, the PDFs have this, but the article would do well to better summarize.
If a brute-force requires multiple 500 watt GPUs in order to brute force in real time, I'd like to know. This is vastly different than if it can be done on a laptop's GPU.
If hashes can be cracked later offline with 100% certainty, I'd like to know, since a malicious device can just collect hashes simply by traveling around a city.
But if the brute forced hashes need to be confirmed with the other AirDrop device in real time, else you don't know which of dozens, hundreds, or thousands of results you might get, then this is mostly a non-issue.
There is no need to brute force. We can build a rainbow table with valid phone numbers, which we can use to lookup a phone number hash in real time (about 50ms on a regular desktop machine). PoC available here: https://github.com/seemoo-lab/opendrop/blob/poc-phonenumber-...
It's not a problem of existence of rainbow table or not salted, but the problem is that hash is not very meaningful for secret on small space, like phone number (something like 10^13 even larger?).
> Sure, I'll take your statement that AirDrop hashes aren't as robust as they should be at face value, but I'm going to need you to provide more information. Of course, the PDFs have this, but the article would do well to better summarize.
Does the article they published about that which they link to not provide enough details? In that news release they referenced, they say "However, the research team shows that with new and optimized attack strategies, the low entropy of phone numbers enables attackers to deduce corresponding phone numbers from cryptographic hashes within milliseconds."
I'm not sure if I'm misunderstanding what you're asking, or if you just didn't notice that they provide the info you want fairly easily and succinctly already.
Whats _multiple_? If it takes 20 high end Tesla to crack this real-time, a desktop could feasibly brute force the hashes in hours, and a laptop could do so in a day. This is good enough for targetted attacks to be practical.
The issue with phone number hashes has been known for a while. See for example this post by Project Zero[0] where they leverage the issue (search for "Enabling AWDL") to remotely activate airdrop.
The way I read it their implementation was more of a proof of concept of a better privacy preserving system that works in the same way. Rather than a separate app.
Why not? I meet my friends for lunch and want to send them some photos while sitting in the restaurant?
This seems like a very plausible scenario and most users would not expect and would not want everyone in the restaurant to be able to see their email and phone number.
The implausible part is not having lunch with friends, although the pandemic has made that feel less plausible than it used to be... but rather, having an attacker actively running an attack within 10s of feet of your table at the restaurant. What is your threat model that makes this plausible?! You must be super important to have attackers following you to lunch. Or maybe you like to eat at restaurants that do their best to harvest all visitor data, even going so far as to use cutting edge vulnerabilities?
The person you replied to literally said this should be fixed. I agree with them that this is nowhere near as serious as issues Apple has had before, since the attack requires physical proximity and the use of the share pane. Even then, it doesn’t give the attacker RCE privileges or anything similarly world shaking.
Should Apple fix it? Again, absolutely. No one has said otherwise.
Nothing is 100% secure, so the relative risk posed by vulnerabilities can only really be assessed with a threat model. In most threat models, this is nowhere near as bad as their “GOTO Fail” bug or any number of others over the years.
I think celebrities and VIPs are essentially the only ones whose threat models would actually be impacted by this vulnerability in a plausible way.
> You must be super important to have attackers following you to lunch. Or maybe you eat at restaurants that do their best to harvest all visitor data, even going so far as to use cutting edge vulnerabilities?
… and do not use all of the other options for getting data from people in close proximity such as cameras or microcell sites. If your threat model goes far enough that this matters you should be more worried about all of the other options. I would be more worried about a Bluetooth, WiFi, or cellular exploit given the history.
(No, this is not saying that Apple shouldn’t improve this - only that it doesn’t seem like a huge change in the amount of risk you’re exposed to)
Or just grab the phone out of your hand - most people take their phones out of their pocket all the time even on the street. I used to ride a bus and they would grab phones and jump off just as bus would leave a stop. You can actually often get a ton more data this way if you have physical custody of device - no airdrop impersonation needed.
I was trying to exclude obvious attacks, but you’re certainly right for the average person. I’d worry more about, say, shoulder surfing a credit card or
ID card more than this.
the threat model is that many someones knowingly or unknowingly have a stinger-like phone/device constantly collecting these hashes and cracking them. i know of at least one device in my building that was (likely unknowingly) attempting bluetooth-based hacking in a similar manner.
The remote RCE issues Apple has had are critical vulnerabilities. Saudi Arabi doesn't like you, they exploit remotely (maybe not even knowing who you are at all yet) to get your data / your contact lists and social graph etc - and you could be impacted or others could be impacted as a result in a major way.
This exploit requires that they already know who you are and where you live and where you go get coffee. They have to send a physical attacker to stalk your coffee shop. They have to have this equipment to run the impersonation exercise - and then wait until you are picking up coffee and airdropping something.
And after all this they get your email and phone number? So they know all these details about you but can't be bothered to use true people search or ANY of the data brokers or any of the giant data leaks to look this up?
Apple is selling a CONSUMER device. If your threat model is this elaborate, stick your phone in a faraday cage and leave it at home, someone could just grab it out of your hand at the coffee shop and be likely to get a lot more data.
So yes, it's a risk - but on the scale of risks including just being straight mugged and your phone stolen, it seems somewhat lower?
Is that necessary though. There are plenty of stories of people setting their AirDrop policies to 'Everyone' instead of 'Contacts Only' or 'None' where people are receiving unsolicited files (usually NSFW images). From my memory, they did not need to have their sharing pane open for this to happen to them.
Seems like Apple completely ignored that inside a country the first three digits are guessable and the hashed string has a defined length, which makes hash cracking a lot easier.
So this appears to require brute-forcing through every possible hash to see which ones match.
How long would this take?
I mean, is the person's iPhone going to respond to all 10 billion possible domestic US phone numbers in the, what, 3-10 seconds they have their share sheet open? Not to mention the far larger space of e-mail addresses, ultimately limited by whatever the hash length is?
Unless the AirDrop protocol is permitting the validation of many millions of hashes per second (presumably requiring 100mbps+ speed), this doesn't appear to be even remotely a viable attack method in practice, no?
TL;DR: If you're using an Apple device with AirDrop, and have the share sheet open for something that would be shareable with AirDrop, a malicious device within ~30ft of you could start attempting to brute-force the hashes of contacts your device exposes to determine whether the other device is a contact.
(The contact exposure is in support of a setting for AirDrop to work with Everyone, Contacts Only, or No one.)
While it's certainly a bit concerning, it's pretty unlikely to be a practical attack, particularly since all it does is get you the user's contact list. It doesn't sound like there's any way of using it to exfiltrate other information, and though the article doesn't touch on this (that I saw) I'd be surprised if the attack was fast enough to just gulp down all your contacts in the couple of seconds most people have their share sheets open.
> I'd be surprised if the attack was fast enough to just gulp down all your contacts in the couple of seconds most people have their share sheets open.
No, with the share sheet open, the attacker can simply record the hashes of phone numbers that are being broadcasted. And then crack the hashes off-line at any time, which is easy since there are at max 999-999-9999 hashes.
Assuming that's meant to represent 10 digits, it's not sufficient. My phone number is one longer than that (11 digits). If you drop the 0 prefix and use +44 instead, that'll be 12 digits (or 13 if you include the + but you could specify that as always present.)
(A minor nit since it only increases the search space 10x or 100x which probably doesn't make a huge impact?)
"As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device."
Which is fair but someone motivated, say a vendor that sells those "track customers in your store with bluetooth/Wi-Fi" adds support for this. Sure it's relatively low signal but it also costs nothing.
The latter is more serious imo, because those attributes live on your file system basically for ever, and they're preserved when transferring to another compatible file system or even when archived in a zip file. The meta-data can ride along with the files to completely unrelated systems even years after the fact. So if you AirDrop some files to your computer and then zip them up, anyone you send that zip to (a journalist, a public file-hosting site, w/e) will have your full legal name to go with them.
Even sharing your name through the interface seems questionable -- the fact that you and another person have each other's phone numbers is not necessarily an indication that you want to share your real names with each other. (Though i guess someone could usually find it out anyway if they already had your phone number.)
I reported this to Apple, but i don't think they care. Seems like it's by design.