A new press release from the Technical University of Darmstadt in Germany is lifting the lid on some pretty significant security issues regarding Apple's cross-platform AirDrop software feature.
AirDrop, if you're not familiar (or a Mac user) is a super handy file sharing feature that's baked into macOS and iOS. It allows users to push files directly from device to device with the push of a (digital) button using a combination of BlueTooth and WiFi for some Cupertino-designed magic.
AirDrop has two modes that users can choose from. The first allows AirDrops from anybody with an iOS device and the second is a "Contacts Only" mode. The second mode is designed to only allow files from trusted sources or "Contacts" (duh).*
In theory, the "Contacts Only" mode would make AirDrop more secure, as you're not leaving yourself open to files from someone you might not know. Unfortunately, the researchers at the Technical University of Darmstadt have uncovered some potentially dangerous security issues.
AirDrop relies on something called contact identifiers to help establish whether or not two AirDrop enabled devices can communicate. Those are based on things like phone numbers and email addresses. These things are exchanged over something called SHA-256 Cryptographic Hashes.
Each device (Mac, iPhone or iPad) converts their own contact data into hashes and then compares them to the information received from the other device. The problem is...Apple's not salting the hashes.
Salt, or Salting, is a cryptographic technique that's used to safeguard passwords and sensitive information that might be contained in a hash. Salts defend against attacks that might use precomputed tables. A "salt" can make the size of the table needed for a successful attack ridiculously large and can really hamper any attempt to crack the password.
As a result of not salting their hashes, Apple has basically made it possible for attackers to break the cryptography by brute force. Now, Apple uses Transport Layer Security (TLS) for things like AirDrop and that means, theoretically, a hacker wouldn't be able to sniff out this information over the air. Unfortunately, Darmstadt proved in 2019 that Manipulator-in-the-Middle (MitM) attacks make that entirely possible.
A MitM attack is when Device 1 (X in this case) thinks they're talking to Device (2) (Y in this case) which we'll denote as "X<-->Y" but the traffic is really being proxied through someone in the middle (in this case M) for something that looks more like this "X<-->M<-->Y."
Darmstadt admits there are a few hoops people have to jump through before they can be the victim of a MitM attack in regards to AirDrop. It involves one party changing AirDrop back to "Everyone" mode (which isn't recommended anyway).
So what can you do to protect yourself? Follow these simple steps:
- Turn off AirDrop when you aren't using it - Pretty simple to understand. Close the door when you're not using it. You don't want people trying to send you things you don't want to see.
- Don't switch back to "Everyone" mode when "Contacts Only" doesn't work - It's easy to do but try and resist. This is a key step in a successful MitM attack. Think twice about where you are and what you're doing when you're trying to connect via AirDrop.
- Be careful who you connect to - With so many iOS and macOS devices in the wild, it'd be awfully easy to connect to the wrong person. Think twice before you connect.
So far Apple hasn't commented on the issue but if they do we'll let you know. Until then, be careful when using AirDrop.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.
Your blog post content here…