AirDrop has 'severe' privacy leak that exposes iPhone data — how to protect yourself

AirDrop
(Image credit: Apple)

Apple loves to boast about its commitment to user privacy and security, but there's a pink elephant in the room: AirDrop. Researchers from Technische Universitat Darmstadt discovered a vulnerability in the file-sharing feature that exposes your phone number and e-mail address to strangers.

Hackers only need two elements to tap into your personal data via AirDrop: Wi-Fi connectivity and proximity to your device.

How AirDrop exposes your personal data

Apple's AirDrop is quick and convenient way to share files with other nearby Apple users. As long as you're on a iOS, iPadOS or MacOS, you can wirelessly send photos, videos, music, documents and more. According to TU Darmstadt investigators, by default, AirDrop only shows receiver devices from address book contacts by using a "mutual authentication mechanism" that cross references users' phone number and email address entries.

Investigators, however, discovered a flaw in Apple's hash functions, which is supposed to conceal and obscure personal data exchanged during the AirDrop discovery process. "Hashing fails to provide privacy-preserving discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks," the TU Darmstadt report said.

Researchers suggest alternative to AirDrop: PrivateDrop

TU Darmstadt researchers concluded that AirDrop has a "severe privacy leak," but this doesn't mean Apple should eradicate AirDrop completely. Instead, the investigators propose an alternative called "PrivateDrop," which is runs on "optimized, cryptographic private set intersection protocols" that plugs all the security vulnerabilities that currently plagues AirDrop. 

PrivateDrop ensures that personal data isn't exchanged with vulnerable hash values. There is a slight delay with PrivateDrop for authentication and tightened security, but the lag is less than a second.

TU Darmstadt researchers informed Apple about AirDrop's privacy vulnerability in May 2019, but they received radio silence from the Cupertino-based tech giant. "Apple has neither acknowledged the problem nor indicated that they are working on a solution," the report said.

How to turn off AirDrop discovery

The AirDrop privacy leak affects 1.5 billion Apple devices. For now, the best way to keep malicious actors at bay is to disable AirDrop discovery. Here's how to do it:

  1. Open the Control Center by swiping up.
  2. Long press the top-left group of icons.
  3. Tap on "AirDrop."
  4. Tap "Receiving Off."

This will ensure that your device is undiscoverable to hackers seeking to exploit AirDrop's vulnerabilities.

Kimberly Gedeon

Kimberly Gedeon, holding a Master's degree in International Journalism, launched her career as a journalist for MadameNoire's business beat in 2013. She loved translating stuffy stories about the economy, personal finance and investing into digestible, easy-to-understand, entertaining stories for young women of color. During her time on the business beat, she discovered her passion for tech as she dove into articles about tech entrepreneurship, the Consumer Electronics Show (CES) and the latest tablets. After eight years of freelancing, dabbling in a myriad of beats, she's finally found a home at Laptop Mag that accepts her as the crypto-addicted, virtual reality-loving, investing-focused, tech-fascinated nerd she is. Woot!