An AirDrop security flaw can allow anyone with a laptop and scanning software to see your phone number. The same is true when you share a Wi-Fi password from your iPhone.
Doing the same from a Mac reveals its permanent MAC address instead…
Hexway’s report includes proof-of-concept software that demonstrates the information broadcast. Errata Security CEO Rob Graham installed the proof-of-concept on a laptop that was equipped with a wireless packet sniffer dongle, and within a minute or two he captured details of more than a dozen iPhones and Apple Watches that were within radio range of the bar where he was working.
“This is the classic trade-off that companies like Apple try to make when balancing ease of use vs privacy/security,” independent privacy and security researcher Ashkan Soltani told Ars. “In general, automatic discovery protocols often require the exchange of personal information in order to make them work—and as such—can reveal things that could be considered sensitive. Most security and privacy minded folks I know disable automatic discovery protocols like AirDrop, etc just out of principle.”
Although Apple takes steps to guard against this, security researchers have found it’s trivial to crack the system used.
In the event someone is using AirDrop to share a file or image, they’re broadcasting a partial SHA256 hash of their phone number. In the event Wi-Fi password sharing is in use, the device is sending partial SHA256 hashes of its phone number, the user’s email address, and the user’s Apple ID. While only the first three bytes of the hash are broadcast, researchers with security firm Hexway (which published the research) say those bytes provide enough information to recover the full phone number.
The full phone number can be recovered because an attacker can create a database with the hash values for every phone number in their region. The blog post doesn’t explain how the phone number is matched from only the first three bytes of the hash, but the scripts can be found on GitHub.
It’s the same if you share Wi-Fi passwords from your iPhone, explains cybersecurity company Hexway.
You just have to choose a network from the list, and your device will start sending Bluetooth LE requests to other devices asking them for the password. How does your friend know that the person requesting a password is you? Broadband BLE requests contain your data, namely, SHA256 hashes of your phone number, AppleID, and email. Only the first 3 bytes of the hashes are sent, but that’s enough to identify your phone number (actually, the number is recovered from HLR requests that provide phone number status and region).
You can see video demos of both the AirDrop security flaw and the password-sharing one below. The software sends a text message to the number to prove that it was discovered.
It follows an earlier report of a Bluetooth flaw that would allow geographical tracking of iPhones, iPads, Macs, Apple Watches, Fitbit devices, and laptops/tablets running Windows 10.