Researchers Discover AirDrop Security Flaw That Could Expose Personal Data to Strangers

by

AirDrop is a feature that allows Apple devices to securely and conveniently transfer files, photos, and more between each other wirelessly. Users can share items with their own devices, friends, family, or even strangers. The convenience and ease of use, however, may be undermined by a newly discovered security flaw.

airdrop logo
Researchers at TU Darmstadt have discovered that the process which AirDrop uses to find and verify someone is a contact on a receiver's phone can expose private information. AirDrop includes three modes; Receiving Off, Contacts Only, Everyone. The default setting is Contacts Only, which means only people within your address book can AirDrop photos, files, and more to your device.

The researchers discovered that the mutual authentication mechanism that confirms both the receiver and sender are on each other's address book could be used to expose private information. The researchers claim that a stranger can use the mechanism and its process within the range of an iOS or macOS device with the share panel open to obtain private information. As the researchers explain:

As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.

The discovered problems are rooted in Apple's use of hash functions for "obfuscating" the exchanged phone numbers and email addresses during the discovery process. However, researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.

To determine whether the other party is a contact, AirDrop uses a mutual authentication mechanism that compares a user's phone number and email address with entries in the other user's address book.

According to the researchers, Apple was informed of the flaw in May of 2019, and despite several software updates since then, the flaw remains.

Tag: AirDrop

Popular Stories

iOS 26

6 New Things Your iPhone Can Do in iOS 26.1

Wednesday October 29, 2025 4:22 am PDT by
Apple is about to drop iOS 26.1, the first major point release since iOS 26 was rolled out in September, and there are at least six notable changes and improvements to look forward to. We've rounded them up below. Apple has already provided developers and public beta testers with the release candidate version of iOS 26.1, which means Apple will likely roll out the update to all compatible...
Read Full Article59 comments
ios 26 1 slide to stop

iOS 26.1 Brings Back 2007 Feature in New Way

Friday October 31, 2025 1:40 pm PDT by
The upcoming iOS 26.1 update includes a small but helpful change for iPhones, and it could prevent you from running late to something important. Specifically, when an alarm goes off in the Clock app, there is a new "slide to stop" control on the screen for turning off the alarm. On previous iOS 26 versions, there is simply a large "stop" button, which could be accidentally tapped. The new ...
Read Full Article43 comments
iOS 26

iOS 26.1 Coming Soon: New Features for Your iPhone and Release Date

Monday October 27, 2025 7:55 am PDT by
The upcoming iOS 26.1 update includes a handful of new features and changes for iPhones, including a toggle for changing the appearance of the Liquid Glass design, "slide to stop" for alarms in the Clock app, and more. Below, we outline key details about iOS 26.1. Release Date Given that Apple has yet to seed an iOS 26.1 Release Candidate, which is typically the final beta version, the...
Read Full Article
M5 MacBook Pro

Waiting for New Macs? Apple Just Shared Bad News

Friday October 31, 2025 7:32 am PDT by
Apple has just given a strong indication that it will not be releasing any additional new Macs for the remainder of the year. Apple's CFO Kevan Parekh dropped the hint during the company's earnings call on Thursday:On Mac, keep in mind, we expect to face a very difficult compare against the M4 MacBook Pro, Mac mini, and iMac launches in the year-ago quarter.Parekh essentially gave a heads up ...
Read Full Article82 comments
iPhone 17 Pro Cosmic Orange

8 Reasons to Wait for Next Year's iPhone 18 Pro

Thursday October 30, 2025 4:42 am PDT by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models at the same time, which is why we often get rumored features months ahead of launch. The iPhone 18 series is no different, and we already have a good idea of what to expect for the iPhone 18 Pro and iPhone 18 Pro Max. One thing worth...
Read Full Article118 comments
maxresdefault

Apple TV 4K Could Still Launch Before 2025 Ends: All the Rumored Features

Monday October 27, 2025 4:51 pm PDT by
Apple is designing an updated version of the Apple TV 4K, and rumors suggest that it could come out sometime in the next couple of months. We're not expecting a major overhaul with design changes, but even a simple chip upgrade will bring major improvements to Apple's set-top box. Subscribe to the MacRumors YouTube channel for more videos. We've rounded up all the latest Apple TV rumors. ...
Read Full Article160 comments
ipad mini 7 feature blue

OLED iPad Mini: Release Date, Pricing, and What to Expect

Wednesday October 29, 2025 7:13 am PDT by
Rumors are stoking excitement for the next-generation iPad mini that Apple is reportedly close to launching. So what should we expect from the successor to the iPad mini 7 that Apple released over a year ago? Read on to find out. Processor and Performance Apple is working on a next-generation version of the iPad mini (codename J510/J511) that features the A19 Pro chip, according to...
Read Full Article66 comments
iOS 26

Apple Seeds iOS 26.1, iPadOS 26.1, and macOS Tahoe 26.1 Release Candidates

Tuesday October 28, 2025 1:07 pm PDT by
Apple today provided developers and public beta testers with the release candidate versions of upcoming iOS 26.1, iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, watchOS 26.1, and visionOS 26.1 updates for testing purposes. The RCs betas come a week after Apple released the fourth betas. The new betas can be downloaded from the Settings app on a compatible device by going to General > Software...
Read Full Article64 comments
Coffee Burgundy and Purple iPhone 18 Pro Mock 1

Leaker Outlines Potential New Colors for iPhone 18 Pro

Friday October 31, 2025 8:28 am PDT by
Apple's iPhone 18 Pro models could be available in new rich and warm color option, according to a known leaker. The Weibo user known as "Instant Digital" today suggested that next-year's iPhone 18 Pro models will be available in at least one of the following color options: Coffee, purple, and burgundy. The iPhone XR, iPhone 11, iPhone 12, iPhone 14, and iPhone 14 Pro were all available in ...
Read Full Article109 comments

Top Rated Comments

Apple_Robert Avatar
Apple_Robert
59 months ago
This is not good. If Apple was in fact informed specifically about this vulnerability in 2019, I take umbrage with Apple not having taken the proper steps to secure AirDrop.
Score: 12 Votes (Like | Disagree)
dannyyankou Avatar
dannyyankou
59 months ago

According to the researchers, Apple was informed of the flaw in May of 2019, and despite several software updates since then, the flaw remains. We've reached out to Apple for comment and will update this article if we hear back.
I’m sure now that they made this public, Apple will move with more urgency. Apple is usually better fixing security flaws, I’m disappointed.
Score: 9 Votes (Like | Disagree)
Unregistered 4U Avatar
Unregistered 4U
59 months ago

And that is the SIMPLE process. Why is this even news?
Because there’s really very little “security” news that’s even worth reporting, but the researchers still need attention and validation. But, their reports are of the sort that remind me my home has a security hole in that my chimney provides access to my house once you tear down the external facing wall. However, very few people are concerned by or will do anything about this vulnerability. My garage door? COMPLETELY vulnerable to a brute force attack by a tank. Why won’t garage door manufacturers DO anything about this?
Score: 8 Votes (Like | Disagree)
Unregistered 4U Avatar
Unregistered 4U
59 months ago

Yeah that doesn’t sound great. I wonder how many bad actors there actually are out there taking advantage of this loophole though?

Even though this obviously needs to be patched, does anyone seriously believe that any "bad actor" is going to go through this much work so he can sit in a Starbucks and steal someone's phone number? :)
No :) Folks need to remember that their life REALLY isn’t actually all that interesting, anyone interested IN their information is not going to waste time on an AirDrop brute force hack. If they are THAT close and REAAAAAALLLLY want your information, they can readily get access to it using one of the devices below.


Attachment Image
Score: 8 Votes (Like | Disagree)
13astion Avatar
13astion
59 months ago

This is not good. If Apple was in fact informed specifically about this vulnerability in 2019, I take umbrage with Apple not having taken the proper steps to secure Handoff.
It’s AirDrop, not Handoff. The latter is used by ONE user to transfer control or data between multiple devices that are already in their control (and logged into).

AirDrop allows TWO different users logged into TWO devices under their own control to share data. Hence the need for authentication.

And the attack vector is super specific... a black hat *physically nearby* has to try to grab your data while you initiate the AirDrops (and I would guess most AirDrops are small things: a contact card, a photo, a doc... all which take seconds to transfer), and THEN brute force the hashes... for what? A bit of stolen PII?

Yes, it’s *possible* for someone to do this... but *probable*? Naahh. Which is why Apple hasn’t prioritized it. In risk management you have to prioritize the risks by probability and impact... this one is pretty low on both counts.
Score: 7 Votes (Like | Disagree)
ikramerica Avatar
ikramerica
59 months ago

Namely, their email address and telephone number. Not their bank account data, not their social security number. Notice how they obfuscate “PRIVATE DATA OOOH SCARY” from what’s actually shared.

There is a VERY VERY good chance that your “private data” in this case is already on a list some ne’er do well purchased last month… and they didn’t even have to be within AirDrop range to get it! Next they’ll be reporting that
“Folks can gain access to your email address by ASKING you for it. If you fall for the exploit and provide them with your email address THEY WILL HAVE IT!! We reached out to Apple asking if they plan to stop providing email addresses so that people aren’t able to leak them and they looked at us funny and shooed us away.”
I am pretty sure you can get all that juicy data by putting a name in a google search. Plus home address, previous addresses, criminal record, etc.

I do think the odds of someone brute forcing an airdrop in close
proximity to you in order to discover your phone number and email is pretty remote. One assumes that if they are going to all that effort to target you, they already know your name.

One question for the researchers: does this mean turning on “everyone” is more secure as no matching is attempted?
Score: 7 Votes (Like | Disagree)
Read All Comments