The AirDrop feature on iPhones and MacBook computers has a vulnerability that could give scammers access to your email and phone number, a team of researchers say.
AirDrop lets you share photos, documents and other files with other Apple devices nearby. When users have Bluetooth and WiFi turned on, they can discover each others’ devices and connect and share.
But the discovery process can also leave your device open to potential data pirates, say computer science researchers at the Technical University of Darmstadt in Germany.
In a recently published alert, the researchers said strangers within range of your device can learn your email address and phone number when you open the sharing function. That’s because as part of the process to authenticate file sharing, AirDrop checks phone numbers and email addresses against the other user’s address book.
You don’t have to initiate a connection with the other device for it to potentially eavesdrop and that represents “a severe privacy leak,” the researchers said. Several outlets including 9to5Mac.com have reported on the flaw.
Even though the data shared in AirDrop authentications has privacy protections—cryptography measures called hash functions—those “hash values can be quickly reversed using simple techniques such as brute-force attacks,” the researchers said. With your email address and phone number discovered, you could be more at risk for phishing attempts and other scams.
The researchers say they notified Apple about the vulnerability nearly two years ago, but Apple “has neither acknowledged the problem nor indicated that they are working on a solution,” they said. “This means that the users of more than 1.5 billion Apple devices are still vulnerable to the outlined privacy attacks.”
They suggest users of Apple devices disable AirDrop—”Go to Settings>General>AirDrop>Receiving Off”—and not open the sharing menu. When you really need to share files, just turn the function back on and turn it off when you are finished.
Apple did not immediately respond to request for comment on the alert. On its AirDrop instruction page, Apple suggests that users “make sure that the person you’re sending to is nearby and within Bluetooth and Wi-Fi range.”
The German researchers also said they designed a “PrivateDrop” feature to replace AirDrop, with improved privacy protections and “authentication delay well below one second,”