Facepalm: China isn't exactly a standard-bearer for human rights and individual privacy, so being able to grab AirDrop users' contact information is worrisome. Apple was warned its service was vulnerable years ago, but did nothing about it.
In 2019, researchers at Germany's Technical University of Darmstadt discovered that Apple's AirDrop wireless sharing function had vulnerabilities that allowed an attacker to hack the phone numbers and email addresses of the AirDrop users using a Wi-Fi-capable device and being in close proximity to a target. Then it becomes just a matter of opening the sharing pane on an iOS or macOS device and grabbing that information. The researchers warned Apple of the vulnerability back then, but the company did nothing. Two years later the same group proposed a fix for the problem, but again Apple made no moves to fix the flaw.
Now the consequences of Apple's inaction have become clear, or at least public for the first time: Beijing judicial authorities recently announced police were able to track down people who used the service to send "inappropriate information" to passersby in the Beijing subway with the help of the Chinese tech firm Wangshendongjian Technology.
Some background about the way AirDrop works is useful in understanding what happened next. AirDrop is a proprietary Apple protocol that lets you share files directly but wirelessly with other Apple users that are nearby. AirDrop works even when both users are offline, using a combination of Bluetooth and peer-to-peer Wi-Fi for fast, simple, local wireless sharing.
Users open themselves to the vulnerability through AirDrop's "Contacts only" mode, where you tell AirDrop to only accept a message from users already in your own contact list. The Darmstadt researchers found that the two ends of an AirDrop connection that determines whether these two people consider each other a contact uses network packets that don't properly protect the privacy of the contact data.
And indeed Wangshendongjian Technology was able to circumvent the hash values related to the sender's device name, email address and mobile phone number by creating a rainbow table of mobile phone numbers and email accounts, which converted the cipher text into original text and locked the sender's mobile phone number and email account.
Which is exactly what the researchers from TU Darmstadt warned would happen: namely, that AirDrop's hashing fails to provide privacy-preserving contact discovery as hash values can be quickly reversed using simple techniques such as brute-force attacks.
The news that China has figured out how to hack AirDrop has reverberated across Capitol Hill and among humanitarian rights activists. Florida Senator Marco Rubio, the leading Republican on the Senate Intelligence Committee, called on Apple to "be held accountable for failing to safeguard its users against such blatant security breaches. "This breach is just another way for Beijing to target any Apple user it perceives to be an opponent." Benjamin Ismail, campaign and advocacy director of Greatfire.org, which monitors internet censorship in China, said it is "imperative that Apple is transparent about their response to these developments."
Apple, meanwhile, has not answered multiple media inquiries about the matter.