Apple’s AirDrop and Wi-Fi sharing are easily two of the most convenient and user friendly features that Apple offers for people that are part of their ecosystem and Apple fans swear by them. But a new report has come to light that suggests that using both of them put danger of sharing sensitive data. This report claims that the vulnerability is found in iPhones,MacBook, Apple Watch, and AirPods.
According to researchers at Hexway, Apple devices constantly send out large data packets via Bluetooth Low Energy (LE). Every time Apple users share a file using AirDrop, “your phone sends out SHA256 (phone number) hash to all the devices around,” the report said. An attacker can then use this information to gather information including the sender’s phone number, contact them through iMessage or even get to know the name of the user.Read more ↓
The same is applied to Wi-Fi password sharing as well. Every time a user enables this feature, “Broadband BLE requests contain your data, namely, SHA256 hashes of your phone number, AppleID, and email,” claims the Hexway report. It also says that even though only the first 3 bytes of the hashes are sent, but to an attacker, that is enough to identify your phone number.
The report also includes proof-of-concept videos to show the information that is broadcast and suggests that the vulnerability is found in all iOS devices from iOS 10.3.1 onwards. According to a report by Ars Technica, Errata Security CEO Rob Graham “installed the proof-of-concept on a laptop that was equipped with a wireless packet sniffer dongle, and within a minute or two he captured details of more than a dozen iPhones and Apple Watches that were within radio range of the bar where he was working.”
In the end, the report comments that “this behaviour is more a feature of the work of the ecosystem than vulnerability” and the only way to be completely safe is to turn off Bluetooth on your device.