Researchers find flaw that leaks email addresses from Apple’s AirDrop

The tech we take for granted in our phones deserves closer examination.

AirDrop, the feature built into an estimated 1.5 billion Apple devices, allows Mac and iPhone users to seamlessly share files without the nuisance of USB sticks or finding another network connection.

But security researchers this week poked a big hole in that peace of mind by revealing two flaws in AirDrop’s protocol that could allow an attacker to obtain email addresses and phone numbers of nearby devices that are using AirDrop.

The concern is the snooping could enable other malicious activity, such as spearphishing of individual Apple users or the sale of bulk personal data to fraudsters.

At issue are the “hash values” that Apple uses to hide the contact details of AirDrop users from a third party. Researchers from Germany’s Technical University (TU) of Darmstadt who made the discovery said those values can be easily exposed using brute-force or other attacks. A hacker would need to be in close proximity to targets to successfully exploit the flaws.


The researchers said they first told Apple about one of the security issues nearly a year ago, but Apple still hasn’t indicated whether it plans to fix the bugs. An Apple spokesperson did not immediately respond to CyberScoop’s request for comment on Friday morning.

It’s only the latest demonstration of how technology built into mobile devices can be subverted for malicious purposes if closely examined.

AirDrop uses Bluetooth, the popular wireless technology that pairs headphone to mobile devices. Bluetooth has been the focus of some of the more revealing security research during the pandemic, as tech companies and health authorities have looked to use the technology to trace the coronavirus. A year ago, another TU Darmstadt researcher showed how a hacker could execute malicious code on a device running Bluetooth without forcing the user to click on anything.

While Apple may not have fixed the AirDrop issue, the TU Darmstadt researchers think they have. They’ve developed a feature called PrivateDrop that is built on cryptographic protocols they say don’t leave the contact details of users vulnerable to snooping.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts