TECH

AirDrop vulnerability reveals phone number and passwords to third parties

A new security flaw has been discovered in Apple's AirDrop feature which can let anyone with the computer and right software access some critical information including phone numbers and Wi-Fi passwords.
A report from Hexway claims that users just need to have Bluetooth turned on the broadcast to fall prey to this vulnerability. It says that “simply having Bluetooth turned on broadcasts a host of device details, including its name, whether it's in use if Wi-Fi is turned on, the OS version it's running, and information about the battery.”
It also adds that using AirDrop or Wi-Fi password sharing broadcasts a partial cryptographic hash which can easily be converted into a phone number. In the case of a Mac, a static MAC address, which can be used as a unique identifier — is also sent in Bluetooth Low Energy packets.
Hexway has also shared a video demonstrating the vulnerability in action. It's a fairly simple process for malicious third parties. With a proof-of-concept trial, the report was able to gather dozens of iPhones and Apple Watches within range. All that was needed for this was a computer and sniffer dongle.
Hexway is calling this issue more of a “behavior” than a “vulnerability” as it is baked into iOS. Currently, the only security measure you can take against this flaw is turning off Bluetooth entirely, which may not be an appropriate solution for everyone.
While Apple may find more secure ways to protect data like phone numbers when it's over the air between devices, eliminating its use entirely could be quite a challenge since those details are needed for devices to identify themselves to each other when using AirDrop.

G. C.