The security vulnerability which seemingly led to an AirDrop crack by a Chinese state institute has been known to Apple since at least 2019, according to a new report.
Some new details are also emerging about how China is able to obtain the phone numbers and email addresses of people transferring files via AirDrop …
Why China wanted to crack AirDrop
AirDrop is only intended to share the name of your phone (which you can set to anything you like). Your Apple ID should not be disclosed, nor the contact information associated with it – namely, your phone number and email address.
This security has made it a safe way for anti-government activists to distribute information censored on the Internet. It was, for example, widely used in Hong Kong to pass on the dates, times, and locations of upcoming protests. Chinese authorities want to identify those who distribute anti-government materials.
The Chinese AirDrop crack
Bloomberg yesterday reported that a state-backed institute had cracked AirDrop encryption, revealing the identities of those sending files.
Macworld was able to replicate part of what it suspects was done.
We launched the console on our Mac and AirDropped a file to it from an iPhone, discovering from the console log data that the “sharingd” process is responsible for AirDrop. This contains a dedicated sub-process called “AirDrop,” but several other sub-processes were also active during the file transfer. We found the name of our iPhone in one of the sub-processes, along with the strength of the Bluetooth signal.
The “AirDrop” sub-process actually stores the hash values for the email and phone number belonging to the contacted iPhone (see screenshot), but we were unable to access the plain text.
While the site didn’t manage to crack the hashes, it doesn’t seem much of a stretch to believe that China was able to do so.
Although they are stored as hash values, they are fairly easy to decipher: the phone number consists only of digits and is easy to decode using a brute-force attack. For emails, attackers guess the usual alias structures, then search for possible matches in dictionaries and databases of leaked emails.
Apple has known about this vulnerability since 2019
The report says that security researchers have long warned Apple about the risks of encoding phone numbers and email addresses in this way, and sending them to the receiving device. These warnings date back to at least 2019.
One of them was Alexander Heinrich at TU Darmstadt, who back in 2021 told Apple:
We discovered two design flaws in the underlying protocol that allow attackers to learn the phone numbers and email addresses of both sender and receiver devices.
He says that Apple responded to him while developing iOS 16, but seemingly didn’t fix the issue.
One likely reason for this is that switching to a more secure version of the AirDrop protocol – such as the PrivateDrop one proposed by Heinrich and his team – would not be backward-compatible. This would mean AirDrop would no longer work when transferring to and from older devices unable to run the latest iOS versions.
9to5Mac’s Take
It’s somewhat understandable that Apple didn’t want to break AirDrop compatibility with older devices.
However, now that the vulnerability is being actively exploited, and considering the extremely high stakes here – China has an utterly appalling human rights record in respect of dissidents – it does seem like this is by far the lesser of two evils.
FTC: We use income earning auto affiliate links. More.
Comments