Security News > 2021 > April > Apple AirDrop has “significant privacy leak”, say German researchers
The paper itself has a neutrally worded title that simply states the algorithm that it introduces, namely: PrivateDrop: Practical Privacy-Preserving Authentication for Apple AirDrop.
For those who don't have iPhones or Macs, AirDrop is a surprisingly handy but proprietary Apple protocol that lets you share files directly but wirelessly with other Apple users nearby.
The problem, according to the researchers, comes in the form of AirDrop's Contacts only mode, where you tell AirDrop not to accept connections from just anyone, but only from users already in your own contact list.
Simply put, the two ends of an AirDrop connection agree on the whether they consider each other a contact by exchanging network packets that don't properly protect the privacy of the contact data.
In Contacts only mode, AirDrop apparently insists on each end coming up with a certificate that's ultimately signed by Apple itself.
According to the 2019 paper if the recipient is using Everyone mode in AirDrop, then self-signed certificates are allowed, so even iPhones that have never called home to Apple to register for an Apple account can vouch for themselves and use AirDrop anyway.
News URL
Related news
- Researchers Detail Apple's Recent Zero-Click Shortcuts Vulnerability (source)
- Hardware-level Apple Silicon vulnerability can leak cryptographic keys (source)
- New "GoFetch" Vulnerability in Apple M-Series Chips Leaks Secret Encryption Keys (source)
- New GoFetch Vulnerability in Apple’s M Chips Allows Secret Keys Leak on Compromised Computers (source)
- Academics probe Apple's privacy settings and get lost and confused (source)