Hacker News new | past | comments | ask | show | jobs | submit login
Apple knew AirDrop users could be identified and tracked as early as 2019 (cnn.com)
146 points by giuliomagnifico 3 months ago | hide | past | favorite | 17 comments

Matthew Green just wrote up the details of the attack:


Thanks! That looks more informative so I've re-upped https://news.ycombinator.com/item?id=38955018 (via the second-chance pool mechanism) and will move the relevant comments thither.

> “This breach is just another way for Beijing to target any Apple user it perceives to be an opponent. The time to act is now, and Apple must be held accountable for failing to safeguard its users against such blatant security breaches.” (Marco Rubio, Florida Senator)

Holy shit the amount of hyperbole is staggering. "Any Apple user", so Beijing can just "target" Joe Nobody in Bumfuck, Idaho's iPhone if they perceive him to be an opponent? But the guy making the accusation is from Florida, so...

>Chinese authorities claim they exploited the vulnerabilities by collecting some of the basic identifying information that must be transferred between two Apple devices when they use AirDrop — data including device names, email addresses and phone numbers.

Yep, this is bad, but not really a zero day vulnerability. It lets someone who is in range when you're airdropping stuff in public to see your basic info.

Not really a worrying case in normal use, but Chinese dissidents have a very specific use-case for transferring stuff P2P without going through the government monitored network.

Why are we blaiming Apple that an easy file transfer service that most users use casually to transfer files doesn’t meet the needs of anonymity for dissidents when being tracked by a major world superpower government.

It’s not sure why we’re treating this like it’s the Tor browser. It’s a way to quickly share the photos you’ve taken among friends.

It’s not some conspiracy. Apple just didn’t design the product for what they’re using it for.

When you are a large entity, you have a lot of responsibilities to ensure that your users are safe even when they don’t use a service in its intended fashion.

This is fundamental to secure design and it’s also why it’s important for teams to have a both diverse skill set and diverse background to really think out how these features may be used.

How can a beacon service that can detect whether other iPhones in your general area are in your contacts be totally private secure and totally anonymous and to anyone let alone the local government's intelligence service?

Have you ever used airdrop? I don't understand why anyone would expect a high degree of privacy from this application.

I think it demonstrates how when you are a large enough entity you get totally blamed for everything no matter what. Make it totally anonymous to send to everyone and you get blamed for creepers sending anonymous dick pics. Don't make it anonymous and you get blamed for the government spying on users en masse because they can track you within bluetooth radius.

> A group of Germany-based researchers at the Technical University of Darmstadt, who first discovered the flaws in 2019, told CNN Thursday they had confirmation Apple received their original report at the time but that the company appears not to have acted on the findings. The same group published a proposed fix for the issue in 2021, but Apple appears not to have implemented it, the researchers said.

>One of the researchers, Milan Stute, shared an email with CNN showing a representative of Apple’s product security team acknowledging the researchers’ report in 2019


It would be legit but unfortunately I think it's very difficult to prove (to a court) that Apple knew and intentionally did nothing.

Most of us ship suboptimal code and intend to improve it later, knowing that later often turns into never.


Not that I'm either, but I think I'd rather be a consequentialist than a nihilist.

Big on privacy though.

Big on privacy if you listen to what Apple says and ignore the news.

I mean wasn’t this obvious when Tile’s came out ? Honestly at this point Tile’s are more secure because less people use it.

This is about AirDrop, not Air Tags.

I guarantee that the engineer who built airdrop knew that as soon as he committed his code.

Likely, given that Apple's public documentation of the exact behavior probably didn't write itself: https://support.apple.com/guide/security/airdrop-security-se...

Likely before that

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact