Security News > 2021 > April > Apple, you've AirDrop'd the ball: Academics detail ways to leak contact info of nearby iThings for spear-phishing
A bug-hunting team at Technische Universität Darmstadt in Germany reverse engineered AirDrop - iOS and macOS's ad-hoc over-the-air file-sharing service - and found that senders and receivers may leak their contact details in the process.
Despite the team alerting Apple to the oversight in May 2019, and suggesting ways to address it last October, the iGiant hasn't issued a fix.
AirDrop sets up a TLS-encrypted direct peer-to-peer Wi-Fi connection between Apple gear for sharing files.
The Darmstadt team analyzed the proprietary Wi-Fi link-layer protocol, known as the Apple Wireless DirectLink, and the Bluetooth connections AirDrop uses, and found a way to potentially obtain victims' contact details - typically their phone number or email address.
The miscreant transmits AirDrop requests to receivers in the vicinity, and sends that common contact detail as a hash in the handshaking message.
The nearby receivers recognize the hashed contact detail and reply with a message containing their contact details as hashes.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/04/22/airdrop_contact_leaks/