Is that necessary though. There are plenty of stories of people setting their AirDrop policies to 'Everyone' instead of 'Contacts Only' or 'None' where people are receiving unsolicited files (usually NSFW images). From my memory, they did not need to have their sharing pane open for this to happen to them.
airdrop is actually like a security hole when Apple set "open to everyone" by default.
There are already quite some cases using it to send * photos as sex harassment.
Apple should set default to "only contacts".
I've had friends AirDrop me stuff. I was pretty sure it was contacts only by default. Had to search in settings to find it though, sure enough, contacts only.
Turn off airdrop for non contacts? Turn off airdrop? Pretty misleading of them saying every time you click share instead of share with airdrop everyone can see some info.
I believe that this information leak occurs BECAUSE AirDrop is only enabled for Contacts by default - you disclose your own hashed phone number when you open the Share dialog in order to allow nearby phones to decide whether you're on their Contacts list.
Interesting. I just read the title and assumed it was talking about security issues. Since we all know AirDrop can share files (what it was intended for), presumed this meant it's also sharing some data/privacy issues unbeknownst to us.
9/10 times they haven't set the permissions to receive files through airdrop. It used to be open, but that was a huge security vuln. People could just airdrop whatever picture they wanted to all the iPhones on an airplane for example
> The second step, is Airdrop requesting a device to accept a connection.
> At that point, you see who is sending you the send request, and you can accept/deny.
Revealing the identity hash must happen earlier than that, since the entire point of the "only contacts" feature is that you can't even see non-contacts on your AirDrop share sheet.
And since Apple (correctly, in my view) didn't want receiving devices to publicly broadcast their identities (or even worse the set of acceptable senders), it's on the sender to initially broadcast their identity to all devices within range.
The candidate devices (i.e. those that have the sender in their contacts) then respond and get populated in the share sheet target list.
What's potentially surprising is that this must happen even before selecting AirDrop as a share target, since (at least on my device) I can already see nearby AirDrop contacts in the "frequently contacted" part of the general share sheet...
I use AirDrop mostly to share with my own devices quickly, and I've been baffled that I have to set sharing to everyone to see my own devices. Setting it to contacts hasn't worked, and that's a big oversight by Apple.
There simply isnt a need to "Set the feature" for any kind of event. It's not like you can turn this on, put your phone in your pocket and then have people send unsolicited files to your phone all day long. Airdrop only works when your phone is unlocked and in use. You already have to interact with it to receive something, and you can put a shortcut button in control center for it. Making the privacy-preserving setting the default is the right call. Whether or not China had anything to do with it is honestly irrelevant.
TL;DR: If you're using an Apple device with AirDrop, and have the share sheet open for something that would be shareable with AirDrop, a malicious device within ~30ft of you could start attempting to brute-force the hashes of contacts your device exposes to determine whether the other device is a contact.
(The contact exposure is in support of a setting for AirDrop to work with Everyone, Contacts Only, or No one.)
While it's certainly a bit concerning, it's pretty unlikely to be a practical attack, particularly since all it does is get you the user's contact list. It doesn't sound like there's any way of using it to exfiltrate other information, and though the article doesn't touch on this (that I saw) I'd be surprised if the attack was fast enough to just gulp down all your contacts in the couple of seconds most people have their share sheets open.
> While AirDrop’s device-to-device communications channel is typically protected from third-party snooping by its own layer of security, that wouldn’t shield someone who may have been tricked into connecting with a stranger, perhaps by tapping on a deceptively named device in a list of contacts or by thoughtlessly accepting an unsolicited connection request. This step is required for the sender to be identified, according to security experts.
Apple already acted on this, didn’t they? AirDrop now defaults to off and you can only switch it on for ten minutes at a time – you can’t forget to switch it off again. When Apple implemented this change, I remember that they were criticised because people said they were doing what China wanted by cracking down on P2P communication. Now it’s the opposite situation but the same criticism.
That's what I thought too since the AirDrop protocol, as mentioned in the article, doesn't even share any of that hashed info unless a user opens the share sheet to initiate an AirDrop transfer.
To me, that means that if I was going to attack someone using this exploit, I would need to sit there all day until someone used AirDrop to send something and then I'd need to make sure to have my attack planned out in advance so that I could then use that information to do something useful.
The chances of that actually happening to some detriment are so small, in my eyes.
I got AirDrop spammed at the airport just recently, after accidentally leaving it enabled for Everyone. I can only imagine what the video contained if I'd clicked on it...
reply