Apple AirDrop flaw exposes 1.5 billion devices — what to do

AirDrop settings on an iPhone with a MacBook in the background.
(Image credit: Aleksey Khilko/Shutterstock)

Apple's AirDrop protocol can accidentally leak your email address and phone number to any Apple device nearby, five German researchers have discovered. They say Apple has known of this problem —  which makes 1.5 billion devices vulnerable — for nearly two years, but add that they've got a possible solution.

"It is possible to learn the phone numbers and email addresses of AirDrop users -- even as a complete stranger," states a website put up by the researchers. "An attacker just requires a Wi-Fi-capable device and physical proximity to a target."

"Apple users are still vulnerable," the site adds. "They can only protect themselves by disabling AirDrop discovery in the system settings and by refraining from opening the sharing pane."

How to protect yourself

To make sure you're not vulnerable to these attacks, you'll want to set your AirDrop to "Receiving Off" on an iPhone or iPad, and to "Allow me to be discovered by No One" on a Mac. 

You might also want to turn off Wi-Fi and Bluetooth when you're not using them, although it's not clear whether doing so will actually turn off AirDrop.

Alternatively, you could just let "Everyone" send you AirDrop files, because then there won't be any exchange of email addresses or phone numbers. You might end up seeing a lot of disturbing images sent by other iPhone users, though.

How AirDrop initiates connections

When your AirDrop-enabled device is ready to share a file, it broadcasts an encrypted form of your phone number and/or email address (whichever is tied to your Apple account) to anything within Wi-Fi or Bluetooth range. 

It does this so that other Apple devices with AirDrop set to the "Contacts Only" default can check to see whether you're in their users' contact lists in case you want to connect. (Devices with AirDrop set to "Everyone" doesn't perform this check, but still receive the encrypted phone numbers or email addresses.)

The Apple devices don't broadcast actual phone numbers or email addresses. Rather, they send out "hashes" of those values, i.e. long strings of text you get when you run text through fixed mathematical algorithms. 

For example, the phone number 1 (212) 555-1212, with spaces and parentheses removed, would come out of the SHA-256 hashing algorithm that AirDrop uses as "26321368f6c23510f79a21085024dd5a4f958e6c22dc057a358d1b5a1fc5c932."

Other Apple devices check those hashes against the hashes of email addresses and phone numbers they have in their own contact lists. If a match is made, then those devices reply to yours with their own email and phone-number hashes. 

If both devices have each other's contact information in their Contacts list, then an AirDrop connection is made and files can be shared. (Again, the "Everyone" setting skips this check and just shares files with anyone.)

Sounds good, but there's a problem

The problem is that while hashes are supposed to be irreversible — you shouldn't be able to dial back a hash to get the original phone number or email address — that's not exactly how it works in real life.

"Cryptographic hash functions cannot hide their inputs (called preimages) when the input space is small or predictable, such as for phone numbers or email addresses," states an academic paper authored by researchers Alexander Heinrich, Matthias Hollick, Thomas Schneider, Milan Stute and Christian Weinert. 

Heinrich, Hollick and Stute previously worked on ways to attack AirDrop's technical underpinnings.

In other words, because phone numbers follow predictable formats, it wouldn't take long for even a midrange computer to precompile a list of known hashes for all the possible phone numbers in a specific area code, or all 10 billion or so possible phone numbers in North America. 

A hacker could put a precompiled list of telephone-number hashes on his laptop, then sit in a public place — such as outside the entrance to a big corporation's headquarters at lunchtime — and passively collect the numbers of nearby iPhones as they try to set up AirDrop shares. 

The hacker could also actively force other devices to give up their phone numbers. The attacker could initiate AirDrop shares by sending out the hash of a phone number that many people were likely to have in their contact lists — say, a company's main switchboard number, or the number of its human-resources department. 

Any passing iPhone with that number in its Contacts list would send back the hash of its own phone number.

OK, so what if a stranger knows my mobile number?

Because mobile phone numbers are (mistakenly) used as identity verification for password challenges, bank-account logins and two-factor authentication, you could cause a lot of damage if you got the phone numbers of high-profile individuals or anyone who owns a lot of Bitcoin.

Email addresses are a bit harder to precompile hashes for, as they don't conform to any set length and can contain letters as well as numbers. But a hacker could limit the precomputed hashes to addresses ending in "@gmail.com" or "@yahoo.com," or to addresses following a company's specific addressing format. 

"Alternatively, an attacker could generate an email lookup table from data breaches or use an online lookup service for hashed email addresses," the paper states.

The hacker could then harvest email addresses in the same manner as the phone numbers. Those email addresses, the research paper notes, could be used "for fraudulent activities such as (spear) phishing attacks or making a profit by selling personal data."

A solution presents itself

The Darmstadt researchers said they privately told Apple about the passive-attack scenario in May 2019, and the active-attack one in October 2020. In July 2019, a second group independently found the passive-attack issue and went public with it. 

"Apple has not yet commented if they plan to address these AirDrop issues," the research paper says. (Tom's Guide has reached out to Apple for comment, and we will update this story when we receive a reply.)

The researchers have created an open-source project called "PrivateDrop" that "integrates seamlessly into the current AirDrop protocol stack." 

They say PrivateDrop, which they told Apple about in October, will fix AirDrop's data-leakage problems by substituting other values for the hashed phone numbers and email addresses.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
Find My iPhone
Apple Find My hack turns any Bluetooth device into a secret AirTag — what we know
Apple Pay Bitcoin
iPhone AirDrop can’t steal your payment info — here’s why TikTok is wrong
A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.
Mac and iPhone users beware — Apple processors can be exploited to steal sensitive information
Malware
New macOS malware uses Apple's own code to quietly steal credentials and personal data — how to stay safe
iOS 17 AirDrop contact sharing
Apple could be forced to bring AirDrop and AirPlay to Android — here’s why
Cartoon of person peering through US flag
Western governments want your data and big tech is happy to provide – how to slow them down
Latest in Mobile Apps
How to tour the Super Bowl stadium virtually with Google Maps
Google Maps glitch is purging Timeline data — what we know
Gboard app logo on mobile phone resting on a keyboard
Google Gboard redesign has already angered users — and I can see why
Waze app on iPhone in car
Forget Google Maps — Waze just got a huge upgrade that will help millions of drivers
A photo of the Apple Maps app tile displayed on an iPhone screen
Apple Maps may soon get ads, letting businesses pay to boost visibility
How to delete TikTok
TikTok confirms return to Apple and Google app stores — here’s what we know
How to tour the Super Bowl stadium virtually with Google Maps
Google Maps is adding this new feature for millions of drivers to make your ride safer
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Sunday, March 16 (#644)
Nintendo Switch 2
New Nintendo Switch 2 FCC filing suggests this beloved Nintendo controller could make a comeback
(From L to R) Rohan (Nik Dodani), Josh (Brandon Flynn), Dorothy (Edie Falco), John (Dean Norris), and Liddie (Lisa Kuthrow) in The Parenting
Max top 10 movies — here’s the 3 worth watching right now
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #378 (Sunday, March 16 2025)
Samsung Galaxy Tab S10 FE renders
Samsung Galaxy Tab S10 FE price leak is bad news for budget-conscious buyers
Google Assistant
Gemini to kill off Google Assistant on most Android phones — here's what you need to know