Security News > 2021 > April > Apple AirDrop has “significant privacy leak”, say German researchers

Apple AirDrop has “significant privacy leak”, say German researchers
2021-04-23 18:59

The paper itself has a neutrally worded title that simply states the algorithm that it introduces, namely: PrivateDrop: Practical Privacy-Preserving Authentication for Apple AirDrop.

For those who don't have iPhones or Macs, AirDrop is a surprisingly handy but proprietary Apple protocol that lets you share files directly but wirelessly with other Apple users nearby.

The problem, according to the researchers, comes in the form of AirDrop's Contacts only mode, where you tell AirDrop not to accept connections from just anyone, but only from users already in your own contact list.

Simply put, the two ends of an AirDrop connection agree on the whether they consider each other a contact by exchanging network packets that don't properly protect the privacy of the contact data.

In Contacts only mode, AirDrop apparently insists on each end coming up with a certificate that's ultimately signed by Apple itself.

According to the 2019 paper if the recipient is using Everyone mode in AirDrop, then self-signed certificates are allowed, so even iPhones that have never called home to Apple to register for an Apple account can vouch for themselves and use AirDrop anyway.


News URL

https://nakedsecurity.sophos.com/2021/04/23/apple-airdrop-has-significant-privacy-leak-say-german-researchers/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apple 68 212 1433 2208 257 4110