A recent report discloses security problems with Apple’s AirDrop and password sharing technologies. Both networking features can leak phone numbers or other sensitive data to digital eavesdroppers.
Apple devices offer excellent security, however, no system is perfect. Once again, Apple devices suffer from a minor and difficult-to-exploit security vulnerability.
The latest security flaw centers around AirDrop and password sharing features. As these networking features transmit data over Bluetooth, malicious users within range can access and decrypt this data. The data are not transmitted in clear text, but are encrypted using SHA256, which is a typically considered a reliable and secure hash.
It appears that it’s the way Apple uses SHA256 that compromises security. In some situations, Apple devices send partial hashes of an email address, Apple ID and phone number. Security firm Hexway was able to retrieve and decode this data well enough to reconstruct a phone number.
Before you turn off Bluetooth for good, keep in mind, this security flaw is difficult to exploit. It would require a user to be in a public place with a malicious user who has the right equipment and know how. At best, they can steal a telephone number or email address. If they get your Apple ID, they still don’t have your password. An Apple ID is just an email address.
Users would have to initiate AirDrop or password sharing in a public place with a properly equipped malicious user waiting to steal the data. The data are of little use. It’s highly unlikely that any black hat actor would take advantage of this flaw.
There’s no information as to when Apple will patch this security flaw. One can assume it will be fixed with upcoming iOS, macOS and even possibly tvOS updates. The important thing to remember is that this security flaw is not severe. It’s difficult to exploit and there’s not much of a payoff for hackers.