The AirDrop feature on MacBook computers and iPhones have a vulnerability that could give scammers access to users email and phone number, a team of researchers says. AirDrop allows users to share documents, photos, and other files with another Apple device nearby.
When users use WiFi turned on and Bluetooth, they can discover the nearby devices, connect and share. But the discovery process can also leave the user’s device open to potential data pirates, as per computer science researchers at the Technical University of Darmstadt in Germany.
In a recently published alert, the researchers have said strangers within the range of the user device can know about the user phone number and email address when sharing function is opened. That’s because as part of the process to authenticate file sharing, AirDrop checks email addresses and phone numbers against the other user’s address book.
The data shared in AirDrop authentications have privacy protections, cryptography measures called hash functions. According to the researchers, these hash values can be quickly reversed using simple techniques such as brute-force attacks. With phone numbers and email addresses, discovered users can be more at risk for phishing attempts and other scams.
The researchers said they had informed Apple about this problem two years ago, but Apple has not acknowledged the issue and has not even indicated that they are working on it. This is a clear indication that the users of more than 1.5 billion Apple devices are still open to the outlined privacy attacks.
The researchers suggest that Apple users disable AirDrop. To disable it, Go to Settings>General>AirDrop>Receiving Off and not open the sharing menu. When the users want to share files, turn it on, and after finishing, turn it off. On the AirDrop instruction page, Apple suggests that users make sure that the person you’re sending to is nearby and within Bluetooth and WiFi range.
The German researchers have designed a PrivateDrop feature to replace AirDrop, with improved privacy protections and authentication delay well below one second.