AirDrop on iOS 14Source: Luke Filipowicz / iMore

What you need to know

  • German researchers say they've found a significant flaw in Apple's AirDrop security.
  • They say a vulnerability could reveal user phone numbers and email addresses.
  • The group also says it told Apple about the issue two years ago.

A group of researchers from the Technical University of Darmstadt say they've found a massive flaw in Apple's AirDrop technology that could expose user's email addresses and phone numbers when using devices like the iPhone 12.

In a press release this week the group stated:

Apple users can share files with each other using AirDrop. But studies by TU researchers at the Department of Computer Science show that uninvited people can also tap into data. The research team developed a solution that could replace the flawed AirDrop. Apple has not yet closed the discovered privacy gap – the users of more than 1.5 billion Apple devices are still vulnerable.

The group says that investigations into Apple's mutual authentication mechanism, which AirDrop uses to determine whether another nearby iPhone is one of your contacts, unearthed a "severe privacy leak":

As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.

The group says it has already cooked up a more secure alternative and says it told Apple about the problem in May 2019 to no avail, with Apple neither acknowledging the problem nor stating it was working on a fix. The group plans to present its findings in August to the USENIX Security Symposium.