Failing to act: Apple's AirDrop leaves activists vulnerable

In 2019, researchers at TU Darmstadt discovered a security vulnerability in Apple's offline file sharing system AirDrop. In 2021, the teams of computer science professors Matthias Hollick and Thomas Schneider jointly published a privacy-friendly protocol (“PrivateDrop”) to fix the problem, but Apple failed to act. Now, a Chinese judicial authority has declared that it has spied on AirDrop users.

AirDrop is a proprietary feature of Apple devices that allows users to share files wirelessly and offline with nearby iPhones, iPads or MacBooks. Once the data transfer is complete, there should be no way to determine where the data came from. The function therefore became attractive for political activists in China to share content critical of the government. However, this is risky due to critical privacy vulnerabilities in AirDrop.

With AirDrop, Apple stores so-called hashes in the system of the devices used to recognise whether the person with whom data should be exchanged is a known contact. However, security experts are well aware that cryptographic hash functions are not sufficient to protect personal data such as phone numbers or e-mail addresses, because today's computing power allows many possible solutions to be tried out quickly.

According to recent news reports, Chinese authorities are said to have identified the telephone numbers and email addresses of individuals who sent information critical of the government which was distributed via AirDrop. Protocols on the recipients' devices were analysed and techniques were used to decrypt cryptographic procedures that are supposed to protect the senders' contact details.

Disclosed but never closed

For the research teams of Prof. Matthias Hollick and CROSSING-PI Prof. Thomas Schneider from the Department of Computer Science at TU Darmstadt, the exploitation of the vulnerability comes as no surprise: the Secure Mobile Networking Lab (SEEMOO) had already found serious security vulnerabilities in the AirDrop protocol in 2019 and reported them to Apple before publication at USENIX Security 2019 so that the company could have taken countermeasures (“Responsible Disclosure”). Together with researchers from the Cryptography and Privacy Engineering Group (ENCRYPTO), they presented a demonstrator at WiSec 2021 how to practically exploit the vulnerability. Both teams published at USENIX Security 2021 a privacy-preserving solution called PrivateDrop.

PrivateDrop uses an alternative, provably secure cryptographic protocol to determine whether two users know each other. In this way, log messages, even if they are intercepted or stored in a device log, become unusable for forensics. The new procedure allows contact data to be exchanged via AirDrop without the user having to reveal anything about themselves or their contact details. The researchers demonstrated that their method can be implemented without any noticeable delay in performance.

In an exchange with Apple, it was announced to the researchers that the vulnerability would be closed with the introduction of their mobile operating system iOS 16 in 2022. A plan that has not yet been realised. The researchers now hope that Apple will take the reports as an opportunity to address the problem.