Apple, you've AirDrop'd the ball: Academics detail ways to leak contact info of nearby iThings for spear-phishing

2021-04-22 08:16

A bug-hunting team at Technische Universität Darmstadt in Germany reverse engineered AirDrop - iOS and macOS's ad-hoc over-the-air file-sharing service - and found that senders and receivers may leak their contact details in the process.

Despite the team alerting Apple to the oversight in May 2019, and suggesting ways to address it last October, the iGiant hasn't issued a fix.

AirDrop sets up a TLS-encrypted direct peer-to-peer Wi-Fi connection between Apple gear for sharing files.

The Darmstadt team analyzed the proprietary Wi-Fi link-layer protocol, known as the Apple Wireless DirectLink, and the Bluetooth connections AirDrop uses, and found a way to potentially obtain victims' contact details - typically their phone number or email address.

The miscreant transmits AirDrop requests to receivers in the vicinity, and sends that common contact detail as a hash in the handshaking message.

The nearby receivers recognize the hashed contact detail and reply with a message containing their contact details as hashes.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/04/22/airdrop_contact_leaks/

#apple #leak #phishing #spearphishing

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Apple		135	582	4214	1623	2414	8833

News URL

Related news

Related vendor