My car gives me the option to import contact or not, it’s a personal choice and you can assign a code to link it with your car, plus if you felt trigger happy you can delete that phone profile.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researchers Discover AirDrop Security Flaw That Could Expose Personal Data to Strangers
- Thread starter MacRumors
- Start date
- Sort by reaction score
My car gives me the option to import contact or not, it’s a personal choice and you can assign a code to link it with your car, plus if you felt trigger happy you can delete that phone profile.
Consider how several of the recent macOS and iOS vulnerabilities have started with “Once you authenticate to the device…” To a security researcher looking for a headline, they could have “Vulnerability Affects all Devices with CarPlay: Once Authenticated, Personal Sensitive Data Can Be Shared. (Personal and Sensitive in this case being Name and Telephone Numbers) I actually think all security articles should start with a likelihood level, but then folks wouldn’t click on the clickbait
Bluetooth has a standard way of transferring files but Apple refuses to implement it. They won't share AirDrop with anyone, either.
I'm disappointed that in 2021 Apple still has not implemented E2E encryption for Calendar, Contacts, Reminders and most of the rest of iCloud services. It's 2021 for crying out aloud.
This vulnerability is not that serious in a couple of ways:
1. It only works locally - you have to be in the same room in order to do the attack. In addition, it seems a bit unclear but only the attacker needs to have the share sheet open right? I also believe the victim would have to have their phone unlocked.
2. It only reveals your phone number and email. It is hard to use these for anything if the victim has secured all their accounts with 2FA.
3. The information is still hashed and real professionals are the only ones that can do these sort of sophisticated brute force attacks.
Despite the above caveats, Apple should take steps to render the brute force attacks on the hash impossible.
1. It only works locally - you have to be in the same room in order to do the attack. In addition, it seems a bit unclear but only the attacker needs to have the share sheet open right? I also believe the victim would have to have their phone unlocked.
2. It only reveals your phone number and email. It is hard to use these for anything if the victim has secured all their accounts with 2FA.
3. The information is still hashed and real professionals are the only ones that can do these sort of sophisticated brute force attacks.
Despite the above caveats, Apple should take steps to render the brute force attacks on the hash impossible.
I’m not too concerned, I’m a software developer and they are hundreds of security issues like this in software and if Apple has taken this long then it’s seems to me the fix is not that easy to do makes me wonder what condition the code is for them to take so long unlike Apple.
I keep mine turned off unless I need to use it at home or at work between my own devices.
Because, it’s the appropriate response. The MOST they could obtain is your name and telephone and that can be obtained in FAR easier and FAR more reliable ways.
If this was an exploit that allowed full access to your phone? Drag ‘em through the mud. If this allowed access to your entire contacts list, drag ‘em through the mud. And that’s not just Apple, if ANY vendor has a vulnerability that has enough of a barrier to implementation such that 99.9999% of their customers don’t have to be worried about it, then they’d be better off working on resolving the types of vulnerabilities that actually put the majority of their users at risk. Development resources aren’t infinite.
Exactly. This will probably trickle up in the media, many of which will use clickbait headlines and no context until it gets blown completely out of context.
Should it be fixed, probably, but there’s not much here to actually be worried about
If Apple changes the handshake mechanism they will break compatibility with older OS’s/devices (again). Possibly a reason as to why this hasn’t been fixed as of yet.
I have not heard of sharing files via bluetooth since Nokia days
Me neither but I wonder why, it's certainly possible to send data over Bluetooth.
From a story on ArsTechnica that goes into some of the use cases….
“Say, you plant such a bug in a conference room or an event where politicians, celebrities, or other "VIPs" come together (e.g., Oscar Awards). As soon as one of them opens the sharing pane on an Apple device, you can get hold of at least their private mobile phone number.”
Given any room of VIP’s, anyone here can get their mobile phone number of anyone there, primarily BECAUSE they’re VIP’s. I mean, they can’t even enter the room anonymously, so I’VE GOT THEIR NAME JUST BY ENTERING THE ROOM! Now, if there was only a vast trove of prior exploits that may, potentially, have obtained the cellular numbers of VIP’s…………………….
“Say you have been in email contact with a celebrity to cover a story. In case the celebrity has therefore stored your email address, you can easily get hold of their private mobile phone number when being in proximity (e.g., during an interview). In this case, the celebrity [does] not even have to open the sharing pane or otherwise touch their device!”
WOooh, now THIS is scary… A celebrity you’ve been in contact with that has shared with you their email address… YOU COULD GET THEIR PHONE NUMBER??? THAT’S SO WILD! Oh, you mean other than just asking them for it. Oh, ok, I guess that’s… but… kinda weird they’d trust you with their email address but not phone number??
When given an opportunity to come up with some reasonable use cases, THIS is what they come up with? Kinda sounds like security researchers are folks that don’t understand how folks that AREN’T security researchers communicate.
“Say, you plant such a bug in a conference room or an event where politicians, celebrities, or other "VIPs" come together (e.g., Oscar Awards). As soon as one of them opens the sharing pane on an Apple device, you can get hold of at least their private mobile phone number.”
Given any room of VIP’s, anyone here can get their mobile phone number of anyone there, primarily BECAUSE they’re VIP’s. I mean, they can’t even enter the room anonymously, so I’VE GOT THEIR NAME JUST BY ENTERING THE ROOM! Now, if there was only a vast trove of prior exploits that may, potentially, have obtained the cellular numbers of VIP’s…………………….
“Say you have been in email contact with a celebrity to cover a story. In case the celebrity has therefore stored your email address, you can easily get hold of their private mobile phone number when being in proximity (e.g., during an interview). In this case, the celebrity [does] not even have to open the sharing pane or otherwise touch their device!”
WOooh, now THIS is scary… A celebrity you’ve been in contact with that has shared with you their email address… YOU COULD GET THEIR PHONE NUMBER??? THAT’S SO WILD! Oh, you mean other than just asking them for it. Oh, ok, I guess that’s… but… kinda weird they’d trust you with their email address but not phone number??
When given an opportunity to come up with some reasonable use cases, THIS is what they come up with? Kinda sounds like security researchers are folks that don’t understand how folks that AREN’T security researchers communicate.
i know right? It feels like a few folks tried to propose an alternative solution to Apple, they got ignored, and then they convinced a reporter at ARS to print their spin 100% without even asking for a third opinion.
Like MAC addresses with Wifi, it can be used to track the movements of a person. But unlike an MAC, you can more easily associate this with an actual person.
Yeah, you’d have to count on that person opening the share sheet EVERYWHERE they go. And, like, if you’ve got folks close enough to them to get the information and then wait to process ALLLL the hashes, why not just… give them a picture of the person?
Because it’s Apple, destined to be proud of all achievements and full denial of any accusations.
Or have Airdrop either set to "Everyone" or "Contacts only", the latter which is the default setting - in which case the user doesn't need to open the share sheet.
If airdrop receiving is set to off, then and only then does user needs to open the share sheet.
Last edited:
Only if you already have their email address. So, you’ve got their email address and have folks stationed in strategic locations in order to track them… your best bet would REALLLY be just to have those folks kinda LOOK UP from their laptop and use their eyes to let you know they’ve seen them
Any actor wanting to effectively track someone would never use this method because there are so very many better ways to do the same. To security researchers, EVERYTHING is a vulnerability. In the real world, all exploits flow to path of least resistance/easiest implementation. This vulnerability is an interesting academic edge case, that’s pretty much it.
i am only guessing that internet is so fast now its actually faster to send your contact an image over internet than setup a bluetooth connection between the two of you. This doesn't work for your own devices like phone <-> computer, computer<-> playstation which airdrop does, at least on Apple devices.
Far from all accounts can be secured with 2FA. Also most people consider their phone number and email address to be private so this is a flawed argument. This could well be a GPDR violation.
Clickbait.
The next news: researchers find that every 60 Seconds in Africa, a minute passes.