An interesting discovery made by security researchers at the Technical University of Darmstadt, Germany, suggests that there is a security flaw in Apple’s AirDrop service.
Apple AirDrop is one of the services that serves as a place to share data such as photos, videos, locations, sites, and even other personal data wirelessly around users of Apple devices (iOS or MacOS). The app requires users to activate Wifi and Bluetooth at the same time before making a data transfer.
In addition, the most important thing in using this app is that the user must sign in using an ID to be able to take advantage of the service. The reciprocal authentication process embedded by Apple utilizes the data contained in the contact address in the form of an email address as well as a phone number, so that the data transfer service seems safe from any form of hacking.
However, security researchers found weaknesses behind the service. The data transfer process could have been hacked by someone who is even fully a stranger. They explained that it only takes a Wifi device and the distance between Apple device users as long as the AirDrop transfer portal is opened.
Reported from TU Darmstadt’s official website, the main problem that causes this security loophole is Apple’s use of hash functions for contact address information on both the sender and recipient sides. Hackers can change hash values and brute-force attacks, then obscure the information so that they get data transfer during the exchange process. The hacking mechanism in this case has also been established in a discussion forum on one of the platforms, GifHub.
The research team has also developed a solution to the problem in October 2020. They developed a service called PrivateDrop to replace the troubled AirDrop service. This service optimizes hash values so that contact meetings in the data transfer portal can be conducted securely. This service can also provide time efficiency to the authentication process in under 1 second.
So far Apple has not made any updates and has not acknowledged any vulnerability gaps in the service. This means that hacking on AirDrop is still vulnerable and can be experienced by Apple’s 1.5 billion device users. However, this can certainly be solved simply by disabling it until the information or security updates are done by Apple.
“This means Apple users are still vulnerable to the privacy attacks outlined. They can only protect themselves by disabling AirDrop discovery in system settings and by refraining from opening the sharing panel,” according to the PrivateDrop development team.