Apple has for a long time offered AirDrop on its iOS and Mac devices to enable easy content sharing between two devices. Similarly, it allows iPhone and Mac users to share their Wi-Fi passwords with a single tap. While both features are designed to enhance the user experience, a new report claims that an attacker can use AirDrop and Wi-Fi password sharing broadcasts to obtain potentially sensitive data, including phone numbers. It is also said that once Bluetooth is turned on, Apple devices broadcast device details, such as phone status and Wi-Fi status.
The report published by cyber-security firm Hexway claims that simply turning on Bluetooth enables attackers to access information about the phone status, battery information, Wi-Fi status, buffer availability, and OS version among other information. The loophole is claimed not to exist only on iPhone units, but also on MacBook, Apple Watch, and AirPods units. All this data is allegedly sent in Bluetooth Low Energy packets.
Alongside the Bluetooth vulnerability, the report by Hexway says that when using AirDrop, Apple users broadcast a partial SHA256 hash of their phone number. An attacker can use the hash to recover the original phone number and even contact the user in iMessage or obtain the name of the user, the report claims, detailing the steps involved of recovering a phone number from a partial hash.
In case of using the Wi-Fi password sharing feature, the report claims Apple devices send partial SHA256 hashes of phone number, Apple ID, and email addresses associated with them. “Only the first 3 bytes of the hashes are sent, but that’s enough to identify your phone number (actually, the number is recovered from HLR requests that provide phone number status and region),” the researchers claimed in their report, adding the steps that can be taken to convert the no details about whether email addresses can be recovered are mentioned. Hexway researchers have also released a few videos on YouTube to detail the issues.
A proof-of-concept (PoC) has been included with Hexway’s report to demonstrate the information broadcast. Ars Technica’s Dan Goodin says the PoC, when used by Errata Security CEO Rob Graham, showed that within a minute or two, details of more than a dozen of nearby iPhone and Apple Watch models was captured on a system.
Apple has provided a Contacts Only option in AirDrop that limits its access. Similarly, it is advisable to disable Bluetooth if it’s not in use. This is certainly not possible if you own an Apple Watch or use AirPods regularly.