Critical vulnerabilities in AirDrop put sensitive information of Apple users at risk

German researchers claim to have discovered two security flaws that would allow the security of Apple smartphones to be abused through the AirDrop file transfer feature. Both failures reside in the authentication process at the start of a connection via AirDrop, in which two devices try to discover each other and subsequently verify that their owners have approved the connection.

During this process, devices exchange Apple Wireless Direct Link (AWDL) packages, which contain information about the device and its owner, including specifications, Apple ID, email address, phone number, and more. Apple protects the information exchanged in this process with the SHA256 hash function.

According to experts, if AirDrop is enabled on an Apple system, the device starts transmitting these packets in all directions and constantly. Threat actors near a device could use WiFi cards to intercept AWDL packets and decrypt protected content to extract sensitive user information. 

This group of researchers first notified Apple about this issue in 2019, in a report that included other attack variants targeting AirDrop. On this occasion, the researchers published a second report in which they seek to deepen their previous work in order to demonstrate that this attack variant can also evolve, which would put millions of users at risk worldwide. It should be noted that more than 500 million Apple devices currently support AirDrop connections. It is very likely that this kind of vulnerability also to AirPlay connections, as they are also based on sending AWDL packets.

Experts conclude by mentioning that they even proposed to Apple the adoption of a new private and personalized communication protocol to mitigate this attack risk, although so far they have not received a specific response from the company. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.