Are Passkeys the Future? Apple Seems to Think So...
It's no secret that passwords are a pain in the butt. They can be difficult to remember, they're a huge target for cybercriminals, etc.
Telephone
1 (877) 664-9379
Press "1" for Support
Press "2" for Sales
Press "3" for Finance
Headquarters
861 Lafayette Rd
Unit 4
Hampton, NH 03842
2 min read
Carl Keyser
:
Apr 29, 2021 10:10:25 AM
A new press release from the Technical University of Darmstadt in Germany is lifting the lid on some pretty significant security issues regarding Apple's cross-platform AirDrop software feature.
AirDrop, if you're not familiar (or a Mac user) is a super handy file sharing feature that's baked into macOS and iOS. It allows users to push files directly from device to device with the push of a (digital) button using a combination of BlueTooth and WiFi for some Cupertino-designed magic.
AirDrop has two modes that users can choose from. The first allows AirDrops from anybody with an iOS device and the second is a "Contacts Only" mode. The second mode is designed to only allow files from trusted sources or "Contacts" (duh).*
In theory, the "Contacts Only" mode would make AirDrop more secure, as you're not leaving yourself open to files from someone you might not know. Unfortunately, the researchers at the Technical University of Darmstadt have uncovered some potentially dangerous security issues.
AirDrop relies on something called contact identifiers to help establish whether or not two AirDrop enabled devices can communicate. Those are based on things like phone numbers and email addresses. These things are exchanged over something called SHA-256 Cryptographic Hashes.
Each device (Mac, iPhone or iPad) converts their own contact data into hashes and then compares them to the information received from the other device. The problem is...Apple's not salting the hashes.
Salt, or Salting, is a cryptographic technique that's used to safeguard passwords and sensitive information that might be contained in a hash. Salts defend against attacks that might use precomputed tables. A "salt" can make the size of the table needed for a successful attack ridiculously large and can really hamper any attempt to crack the password.
As a result of not salting their hashes, Apple has basically made it possible for attackers to break the cryptography by brute force. Now, Apple uses Transport Layer Security (TLS) for things like AirDrop and that means, theoretically, a hacker wouldn't be able to sniff out this information over the air. Unfortunately, Darmstadt proved in 2019 that Manipulator-in-the-Middle (MitM) attacks make that entirely possible.
A MitM attack is when Device 1 (X in this case) thinks they're talking to Device (2) (Y in this case) which we'll denote as "X<-->Y" but the traffic is really being proxied through someone in the middle (in this case M) for something that looks more like this "X<-->M<-->Y."
Darmstadt admits there are a few hoops people have to jump through before they can be the victim of a MitM attack in regards to AirDrop. It involves one party changing AirDrop back to "Everyone" mode (which isn't recommended anyway).
So what can you do to protect yourself? Follow these simple steps:
So far Apple hasn't commented on the issue but if they do we'll let you know. Until then, be careful when using AirDrop.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.
Don't forget to follow us on LinkedIn and Twitter
Your blog post content here…
It's no secret that passwords are a pain in the butt. They can be difficult to remember, they're a huge target for cybercriminals, etc.
A newly discovered exploit is using a flaw in Microsoft's Support Diagnostic Tool (MSDT) to remotely take over end-points via compromised Word...
It used to take a good deal of coding knowledge to build a website or an application. That's not the case anymore. You can build a website in...