Apple makes it easy for people to find lost iPhones, share Wi-Fi passwords and use AirDrop to send files to other devices nearby . A recently published report demonstrates how snoops can leverage these features to provide a wealth of potentially sensitive data that in some cases includes phone numbers.
Just having Bluetooth turned on broadcasts a variety of device details, including the name, whether in use, if Wi-Fi is turned on, the OS version it is running, and battery information. More About: Using AirDrop or Wi-Fi password sharing sends a partial cryptographic hash that can be easily converted to an iPhone's complete phone number. The information ̵
The information provided may not be a big issue in many settings, such as workplaces where everyone knows everyone anyway. Exposure can be scary in public places, such as a subway, a bar or a department store, where anyone with a bit of affordable hardware and some knowledge can gather the details of all Apple devices that have been turned on. The data can also be a boon to companies tracking customers as they move through outlets.
As mentioned above, in case anyone uses AirDrop to share a file or image, they send a partial SHA256 hash of their phone number. In case Wi-Fi password sharing is in use, the device partially sends SHA256 hashes of the phone number, the user's email address and the user's Apple ID. While only the first three bytes of the hash are sent, researchers with security firm Hexway (who published the research) say that these bytes provide enough information to recover the full phone number.
Below is a video of an attack:
Hexway's report contains proof-of-concept software that demonstrates the information sent. Errata Security CEO Rob Graham installed proof-of-concept on a laptop equipped with a wireless package of sniffer dongle, and within a minute or two he captured details from more than a dozen iPhones and Apple Watches that were in the radio range from the bar where he worked. The highlighted device in the middle of the picture below is his iPhone.
"It's not too bad, but it's still a bit scary that people can get status information and it's bad to get the phone number," he said. It is unlikely, he added, that Apple could prevent phone numbers and other information from leaking, since they are required – in some form, anyway – for devices that can seamlessly connect to other devices that a user relies on.
The MAC addresses shown in the image above are not the actual device numbers, but rather temporary MAC addresses that rotate regularly. However, unlike iPhone and Apple Watch addresses, Graham said that Mac addresses for Macs are not obscured in this way. By broadcasting only partial hashes of phone numbers, email addresses and AppleID, Apple is clearly making an effort to make data collection difficult. But the reality of rainbow tables, automated word or number lists and lightning-fast hardware means it's often trivial to crack these hashish.
"This is the classic trade-off that companies like Apple are trying to do when balancing usability vs. privacy / security," independent privacy and security researcher Ashkan Soltani told Ars. In general, automated discovery protocols often require the exchange of personal information to make them work – and as such – reveal things that can be considered sensitive. Most people with security and privacy that I know disable auto-discovery protocols like AirDrop, etc. just without principle. "