There have been quiet concerns about the security of Apple’s AirDrop sharing feature for several years now. Those concerns are now at the forefront of discussion as the Justice Bureau of Beijing has claimed it has the capacity to unmask the email addresses and phone numbers of senders.
Officials in the city claimed to have identified several senders of “inappropriate information” that used the “Everyone” feature to share with all nearby device users on the Beijing subway system. The agency did not specify exactly what the nature of this information was, but AirDrop sharing has been in the crosshairs of the Chinese government for some years now after its use in the Hong Kong protests and more recent protests against President Xi.
AirDrop sharing secured by shaky encryption?
There have been rumblings about AirDrop sharing being relatively easy to attack since at least 2019, when Apple apparently received (and disregarded) an internal warning about the issue. The fears were confirmed in 2021 when German researchers published a theoretical attack that allows for brute force cracking of the hashes that protect user anonymity when sharing. When a recipient agrees to download a shared file, they receive the sender’s phone number and email address in encrypted form and these hashes remain on the device.
This means that AirDrop sharing does not have to be cracked in real time, though the development of “rainbow tables” that potentially simplify the process down to milliseconds does make that possible. But the police could also seize a phone, or capture the transaction in progress, and have time to crack the hashes at their leisure. So could anyone else, for that matter.
Chinese government has repeatedly targeted AirDrop sharing
AirDrop sharing has been misused around the globe in a variety of ways: as a means of distributing malware, to pass unwanted sexual images in public places, or to spam advertising. All of these things are possible because the feature does not have any sort of file scanning for security purposes.
It also does not require an internet connection to function, sending files directly between devices via Bluetooth. That has made it attractive to dissidents in the country looking to communicate securely during protests, and has consequently drawn the attention of the government. In late 2022, after the government applied some public pressure, Apple announced that the AirDrop sharing feature that allows for communicating with everyone in the device vicinity would only function for 10 minutes before having to be manually reset by the user. Apple rolled that change out globally with the later iOS 16.2 update.
But at this point, all of the talk about AirDrop sharing being compromised is still theoretical. The government’s claims are believable based on existing research from independent security professionals in other countries, but Beijing authorities have yet to actually make arrests on the basis of this captured information.
Apple has no comment on the issue thus far.