[HN Gopher] Apple AirDrop shares more than files
___________________________________________________________________
Apple AirDrop shares more than files
Author : bala529
Score : 233 points
Date : 2021-04-21 13:51 UTC (9 hours ago)
(HTM) web link (www.informatik.tu-darmstadt.de)
(TXT) w3m dump (www.informatik.tu-darmstadt.de)
| bionade24 wrote:
| Seems like Apple completely ignored that inside a country the
| first three digits are guessable and the hashed string has a
| defined length, which makes hash cracking a lot easier.
| [deleted]
| KingOfCoders wrote:
| Whenever Apple has a security problem, have of the comments on HN
| wants to discuss it away - why on earth would you like to be less
| secure?
| crazygringo wrote:
| Not all vulnerabilities are equal, and engineering resources
| are finite.
|
| Isn't analyzing severity one of the most interesting, and
| critical, parts of discussing a potential vulnerability?
| random5634 wrote:
| This only is a risk when you open the share pane close to your
| attacker.
|
| Your email and phone number may be less secret than these folks
| claim .
|
| But aside from this overhype interesting work.
| guipsp wrote:
| I, as a user, don't expect my phone number and email do be
| shared automatically when I open the share pane.
| random5634 wrote:
| Not that many users expect to sit next to an attacker running
| this system AND be sharing something.
|
| No question should be fixed - but compared to the rce s Apple
| has had (which do get fixed quickly) this is relatively lower
| risk
| dylan604 wrote:
| Is that necessary though. There are plenty of stories of
| people setting their AirDrop policies to 'Everyone' instead
| of 'Contacts Only' or 'None' where people are receiving
| unsolicited files (usually NSFW images). From my memory,
| they did not need to have their sharing pane open for this
| to happen to them.
| kevincox wrote:
| Why not? I meet my friends for lunch and want to send them
| some photos while sitting in the restaurant?
|
| This seems like a very plausible scenario and most users
| would not expect and would not want everyone in the
| restaurant to be able to see their email and phone number.
| coder543 wrote:
| The implausible part is not having lunch with friends,
| although the pandemic has made that feel less plausible
| than it used to be... but rather, having an attacker
| actively running an attack within 10s of feet of your
| table at the restaurant. What is your threat model that
| makes this plausible?! You must be _super important_ to
| have attackers following you to lunch. Or maybe you like
| to eat at restaurants that do their best to harvest all
| visitor data, even going so far as to use cutting edge
| vulnerabilities?
|
| The person you replied to literally said this should be
| fixed. I agree with them that this is nowhere near as
| serious as issues Apple has had before, since the attack
| requires physical proximity _and_ the use of the share
| pane. Even then, it doesn't give the attacker RCE
| privileges or anything similarly world shaking.
|
| Should Apple fix it? Again, absolutely. No one has said
| otherwise.
|
| Nothing is 100% secure, so the relative risk posed by
| vulnerabilities can only really be assessed with a threat
| model. In most threat models, this is nowhere near as bad
| as their "GOTO Fail" bug or any number of others over the
| years.
|
| I think celebrities and VIPs are essentially the only
| ones whose threat models would actually be impacted by
| this vulnerability in a plausible way.
| acdha wrote:
| > You must be super important to have attackers following
| you to lunch. Or maybe you eat at restaurants that do
| their best to harvest all visitor data, even going so far
| as to use cutting edge vulnerabilities?
|
| ... and do not use all of the other options for getting
| data from people in close proximity such as cameras or
| microcell sites. If your threat model goes far enough
| that this matters you should be more worried about all of
| the other options. I would be more worried about a
| Bluetooth, WiFi, or cellular exploit given the history.
|
| (No, this is not saying that Apple shouldn't improve this
| - only that it doesn't seem like a huge change in the
| amount of risk you're exposed to)
| random5634 wrote:
| Or just grab the phone out of your hand - most people
| take their phones out of their pocket all the time even
| on the street. I used to ride a bus and they would grab
| phones and jump off just as bus would leave a stop. You
| can actually often get a ton more data this way if you
| have physical custody of device - no airdrop
| impersonation needed.
| acdha wrote:
| I was trying to exclude obvious attacks, but you're
| certainly right for the average person. I'd worry more
| about, say, shoulder surfing a credit card or ID card
| more than this.
| clairity wrote:
| the threat model is that many someones knowingly or
| unknowingly have a stinger-like phone/device constantly
| collecting these hashes and cracking them. i know of at
| least one device in my building that was (likely
| unknowingly) attempting bluetooth-based hacking in a
| similar manner.
| random5634 wrote:
| Yeah - no question this should be fixed and it is a bit
| annoying that it hasn't been.
| random5634 wrote:
| The remote RCE issues Apple has had are critical
| vulnerabilities. Saudi Arabi doesn't like you, they
| exploit remotely (maybe not even knowing who you are at
| all yet) to get your data / your contact lists and social
| graph etc - and you could be impacted or others could be
| impacted as a result in a major way.
|
| This exploit requires that they already know who you are
| and where you live and where you go get coffee. They have
| to send a physical attacker to stalk your coffee shop.
| They have to have this equipment to run the impersonation
| exercise - and then wait until you are picking up coffee
| and airdropping something.
|
| And after all this they get your email and phone number?
| So they know all these details about you but can't be
| bothered to use true people search or ANY of the data
| brokers or any of the giant data leaks to look this up?
|
| Apple is selling a CONSUMER device. If your threat model
| is this elaborate, stick your phone in a faraday cage and
| leave it at home, someone could just grab it out of your
| hand at the coffee shop and be likely to get a lot more
| data.
|
| So yes, it's a risk - but on the scale of risks including
| just being straight mugged and your phone stolen, it
| seems somewhat lower?
| bluefirebrand wrote:
| What like in a coffee shop or some other public place? Wild.
| danaris wrote:
| TL;DR: If you're using an Apple device with AirDrop, and have the
| share sheet open for something that would be shareable with
| AirDrop, a malicious device within ~30ft of you could start
| attempting to brute-force the hashes of contacts your device
| exposes to determine whether the other device is a contact.
|
| (The contact exposure is in support of a setting for AirDrop to
| work with Everyone, Contacts Only, or No one.)
|
| While it's certainly a bit concerning, it's pretty unlikely to be
| a practical attack, particularly since all it does is get you the
| user's contact list. It doesn't sound like there's any way of
| using it to exfiltrate other information, and though the article
| doesn't touch on this (that I saw) I'd be surprised if the attack
| was fast enough to just gulp down all your contacts in the couple
| of seconds most people have their share sheets open.
| grupthink wrote:
| > I'd be surprised if the attack was fast enough to just gulp
| down all your contacts in the couple of seconds most people
| have their share sheets open.
|
| No, with the share sheet open, the attacker can simply record
| the hashes of phone numbers that are being broadcasted. And
| then crack the hashes off-line at any time, which is easy since
| there are at max 999-999-9999 hashes.
| zimpenfish wrote:
| > since there are at max 999-999-9999 hashes
|
| Assuming that's meant to represent 10 digits, it's not
| sufficient. My phone number is one longer than that (11
| digits). If you drop the 0 prefix and use +44 instead,
| that'll be 12 digits (or 13 if you include the + but you
| could specify that as always present.)
|
| (A minor nit since it only increases the search space 10x or
| 100x which probably doesn't make a huge impact?)
| grupthink wrote:
| Yes you're right. Thanks for the correction.
| djrogers wrote:
| > since all it does is get you the user's contact list.
|
| It's not even that - all it gets is the phone number associated
| with your personal contact card.
| kuu wrote:
| TL/DR: "As an attacker, it is possible to learn
| the phone numbers and email addresses of AirDrop users - even as
| a complete stranger. All they require is a Wi-Fi-capable device
| and physical proximity to a target that initiates the discovery
| process by opening the sharing pane on an iOS or macOS device."
| auslegung wrote:
| What do you think about editing the title to indicate AirDrop has
| security issues? When I clicked I thought it was going to be
| about what all I can share using airdrop lol
| throw14082020 wrote:
| I would prefer to just link to https://privatedrop.github.io/
|
| It lists 2 vulnerabilities: Sender Leakage and Receiver
| leakage. The files are not at risk, its your phone number and
| apple ID.
|
| Or alternatively, Maybe rename to: Apple AirDrop reveals mobile
| number and email
| kbenson wrote:
| Looking at the article I would say the actual title presented
| is "Apple AirDrop shares more than files: TU-Researchers
| discover significant privacy leak in Apple's file-sharing
| service", but that's a bit long for a HN title. I'm not sure
| what the policy is on using the subtitle (TU-Researchers
| discover significant privacy leak in Apple's file-sharing
| service) if it's more descriptive, but I think it would make
| sense in this case.
| iudqnolq wrote:
| The rule is to use some substring present on the page. So
| long as you don't make up something that editorializes
| picking a different title is encouraged.
| the_other wrote:
| I guessed it could go either way. I only clicked through to
| find out if it was less dry than a security issue!
| heavymark wrote:
| Interesting. I just read the title and assumed it was talking
| about security issues. Since we all know AirDrop can share
| files (what it was intended for), presumed this meant it's also
| sharing some data/privacy issues unbeknownst to us.
| Gaelan wrote:
| It can also share, at minimum, URLs.
| Koliakis wrote:
| I felt the title was too ambiguous. The only reason why I
| assumed it was about security is because I looked at the
| source URL.
| saurik wrote:
| I even work in the field of security most of the time, and
| while I suspected it _might_ have something to do with
| security, I assumed that even then it was going to be someone
| who simply was annoyed you could send an executable or a PDF
| with an exploit over AirDrop, as opposed to metadata ;P.
| xeromal wrote:
| I definitely thought the same thing! haha
| okdana wrote:
| AirDrop also shares your full name (seemingly the one associated
| with your Apple ID, _not_ what you have set for yourself in your
| contacts), both by displaying it in the sharing interface on the
| involved devices and by attaching it as an extended attribute to
| uploaded files.
|
| The latter is more serious imo, because those attributes live on
| your file system basically for ever, and they're preserved when
| transferring to another compatible file system or even when
| archived in a zip file. The meta-data can ride along with the
| files to completely unrelated systems even years after the fact.
| So if you AirDrop some files to your computer and then zip them
| up, anyone you send that zip to (a journalist, a public file-
| hosting site, w/e) will have your full legal name to go with
| them.
|
| Even sharing your name through the interface seems questionable
| -- the fact that you and another person have each other's phone
| numbers is not necessarily an indication that you want to share
| your real names with each other. (Though i guess someone could
| usually find it out anyway if they already had your phone
| number.)
|
| I reported this to Apple, but i don't think they care. Seems like
| it's by design.
| leifg wrote:
| Apple hasn't responded to responsible disclosure for 2 years?
| ProAm wrote:
| They do not earn 30% on security issues.
| jqpabc123 wrote:
| Exactly! And for the same reason, they don't spend much time
| scanning apps in their app store either.
|
| https://www.forbes.com/sites/kateoflahertyuk/2019/01/07/thes.
| ..
| zepto wrote:
| Do you think they think that bad publicity is good for
| their reputation?
| jqpabc123 wrote:
| Repeated incidents of malware doesn't seem to have hurt
| them much yet so until it does, don't expect them to look
| too closely at apps in their store.
|
| https://techcrunch.com/2020/08/31/apple-notarized-mac-
| malwar...
| zepto wrote:
| What makes you think it hasn't hurt them?
|
| Pretty much every post on HN is filled with comment like
| this. Clearly their reputation amongst developers has
| suffered.
| jqpabc123 wrote:
| It obviously hasn't hurt enough for them to do better at
| scanning.
| kristofferR wrote:
| It's not really responsible disclosure if the security flaw
| isn't made public within at maximum 90 days.
| ergl wrote:
| The issue with phone number hashes has been known for a while.
| See for example this post by Project Zero[0] where they leverage
| the issue (search for "Enabling AWDL") to remotely activate
| airdrop.
|
| [0]: https://googleprojectzero.blogspot.com/2020/12/an-ios-
| zero-c...
| johnklos wrote:
| Details are nice. Sure, I'll take your statement that AirDrop
| hashes aren't as robust as they should be at face value, but I'm
| going to need you to provide more information. Of course, the
| PDFs have this, but the article would do well to better
| summarize.
|
| If a brute-force requires multiple 500 watt GPUs in order to
| brute force in real time, I'd like to know. This is vastly
| different than if it can be done on a laptop's GPU.
|
| If hashes can be cracked later offline with 100% certainty, I'd
| like to know, since a malicious device can just collect hashes
| simply by traveling around a city.
|
| But if the brute forced hashes need to be confirmed with the
| other AirDrop device in real time, else you don't know which of
| dozens, hundreds, or thousands of results you might get, then
| this is mostly a non-issue.
| mstute wrote:
| There is no need to brute force. We can build a rainbow table
| with valid phone numbers, which we can use to lookup a phone
| number hash in real time (about 50ms on a regular desktop
| machine). PoC available here: https://github.com/seemoo-
| lab/opendrop/blob/poc-phonenumber-...
| dannyw wrote:
| Can't believe Apple doesn't understand rainbow tables.
| eptcyka wrote:
| Whats _multiple_? If it takes 20 high end Tesla to crack this
| real-time, a desktop could feasibly brute force the hashes in
| hours, and a laptop could do so in a day. This is good enough
| for targetted attacks to be practical.
| kbenson wrote:
| > Sure, I'll take your statement that AirDrop hashes aren't as
| robust as they should be at face value, but I'm going to need
| you to provide more information. Of course, the PDFs have this,
| but the article would do well to better summarize.
|
| Does the article they published about that which they link to
| not provide enough details? In that news release they
| referenced, they say "However, the research team shows that
| with new and optimized attack strategies, the low entropy of
| phone numbers enables attackers to deduce corresponding phone
| numbers from cryptographic hashes within milliseconds."
|
| I'm not sure if I'm misunderstanding what you're asking, or if
| you just didn't notice that they provide the info you want
| fairly easily and succinctly already.
| crazygringo wrote:
| So this appears to require brute-forcing through every possible
| hash to see which ones match.
|
| How long would this take?
|
| I mean, is the person's iPhone going to respond to all 10 billion
| possible domestic US phone numbers in the, what, 3-10 seconds
| they have their share sheet open? Not to mention the far larger
| space of e-mail addresses, ultimately limited by whatever the
| hash length is?
|
| Unless the AirDrop protocol is permitting the validation of many
| millions of hashes per second (presumably requiring 100mbps+
| speed), this doesn't appear to be even remotely a viable attack
| method in practice, no?
| Someone wrote:
| I think the attack is:
|
| - mass record all these requests
|
| - offline, recover the phone numbers or email addresses
|
| = you know who was where, when.
| jmull wrote:
| That attack doesn't fit this vulnerability.
|
| The target has to open the sharing pane on their phone while
| the attacker is in proximity.
|
| That probably effectively stops "mass" attacks.
| Black101 wrote:
| Apple is less about privacy then they claim.
| anfilt wrote:
| 2019 WTF... Really well hopefully that this gets more public that
| motivates some action.
| random5634 wrote:
| For most people this is not a big issue
| Spivak wrote:
| Which is fair but someone motivated, say a vendor that sells
| those "track customers in your store with bluetooth/Wi-Fi"
| adds support for this. Sure it's relatively low signal but it
| also costs nothing.
| e2le wrote:
| Yep, it's being known about for a while.
|
| https://github.com/hexway/apple_bleee/tree/master/hash2phone
| bla3 wrote:
| > studies by TU researchers at the Department of Computer Science
| show that uninvited people can also tap into data.
|
| Cool. Security research is important.
|
| > The research team developed a solution that could replace the
| flawed AirDrop.
|
| Wait, what? Nobody will want to install some third-party tool
| over this.
| lathiat wrote:
| The way I read it their implementation was more of a proof of
| concept of a better privacy preserving system that works in the
| same way. Rather than a separate app.
| lorenzfx wrote:
| I would actually love a similar (open source) system, that is
| working cross-platform.
|
| EDIT: I just found snapdrop [1], but haven't given it a try
| yet.
|
| [1] https://github.com/RobinLinus/snapdrop
| [deleted]
| scotchmi_st wrote:
| One explanation is that Apple has sat on this for 2 years,
| knowing this is a serious security bug. Another explanation is
| that they just don't think it's that serious. The article states-
|
| > The discovered problems are rooted in Apple's use of hash
| functions for "obfuscating" the exchanged phone numbers and email
| addresses during the discovery process. However, researchers from
| TU Darmstadt already showed that hashing fails to provide
| privacy-preserving contact discovery as so-called hash values can
| be quickly reversed using simple techniques such as brute-force
| attacks.
|
| The post that they then linked to is about how, by hashing random
| phone numbers, you can effectively de-anonymise users of popular
| messaging apps.
|
| So you'd need to be in physical proximity to the person, and what
| you're getting is details like your phone number which aren't
| especially private anyway (they literally need to be given to
| people to be of any use). It's far from the dragnet-level issue
| facing Signal & Whatsapp and others.
|
| I don't know, but that doesn't seem like an especially serious
| issue to me. It seems just like a research group trying to make
| some hype for themselves.
| lxgr wrote:
| > So you'd need to be in physical proximity to the person, and
| what you're getting is details like your phone number which
| aren't especially private anyway
|
| Once you know the phone number, you would then be able to track
| an iOS device's location if it's in "contacts only"
| discoverability mode for AirDrop, right?
| willyt wrote:
| Depends how easy this is to do on the fly. Lots of people
| thinking about it like it's a spy thriller. But could a creep
| with a laptop use it to harvest phone numbers from random
| school girls that they like the look of in starbucks? Not sure
| I would like my kids to experience this.
| dannyw wrote:
| Yes, I believe so.
| jdsully wrote:
| In the old days they used to print giant books of these "phone
| numbers" and drop them on your neighbours porches. Odd how
| things that were common are now security risks.
| macintux wrote:
| In the old days phone numbers were not used for
| authentication.
| prutschman wrote:
| And in the old days you could get your number unlisted if you
| didn't want it published.
| [deleted]
| ryanwhitney wrote:
| Not sure how much is required to brute force these, but AirDrop
| has been used in notably sensitive situations like the Hong
| Kong protests[1], where I'm sure anonymity was assumed.
|
| Proximity doesn't mean I would like to share my phone number.
| Seems like an unlikely attack day-to-day, but one with definite
| privacy and personal safety concerns.
|
| 1: https://qz.com/1660460/hong-kong-protesters-use-airdrop-
| to-b...
| [deleted]
| scotchmi_st wrote:
| If the state where you live wants to know if you've been at a
| protest, they have more efficient ways of figuring that out
| than sending someone out to walk around, trying to collect
| AirDrop IDs. That should be the least of your worries.
|
| I mean sure, I'm not saying there's _no_ issue here. But it
| certainly isn 't 'huge' either.
| eptcyka wrote:
| If I turn off my phones LTE radio, and wear face coverings,
| how exactly would a state track me? Its said that Apple
| tries to randomize MACs of all the radios as much
| practically possible. What's the spin here?
| philsnow wrote:
| If I were seriously trying to avoid tracking, you can bet
| my phone would have its very own tin foil hat. I don't
| trust "airplane mode" to not still have some radio
| active, but I trust physics.
| ramphastidae wrote:
| Citation needed. The state is far less organized and
| competent than you think if the US is any indication.
| Planes were flown into skyscrapers and government
| facilities and we had zero defenses in place. A global
| pandemic occurred and we had no plan, PPE or ventilator
| supply and could not mobilize our infrastructure to
| respond. Thousands descended on the Capitol building and
| took selfies during a violent overthrow attempt and the FBI
| has no idea who the majority of them were, depending on
| internet tips to identify them.
| EricE wrote:
| > Planes were flown into skyscrapers and government
| facilities and we had zero defenses in place.
|
| The FBI had certain groups under watch but didn't act on
| it. For a variety of reasons. This continues today - the
| FedEx shooter was well known to law enforcement but
| wasn't acted on. Instead of talking about how we can
| solve that problem, the media and people probably like
| you screech about restricting rights of everyone else
| (gun control?) instead :p
|
| > A global pandemic occurred and we had no plan, PPE or
| ventilator supply and could not mobilize our
| infrastructure to respond.
|
| We built massive temporary hospitals in NYC, sent a
| floating hospital up to NYC and instead of using those
| for the elderly, the NY governor sent the infected
| elderly back to nursing homes where the most vulnerable
| are. They also sent non-elderly to nursing homes too.
| There at least was some reporting about a violent 30
| something homeless guy sent to a nursing home that
| assaulted elderly residents but it was pretty minimal and
| blew over quickly. There were mobilized responses - they
| were incompetent mobilizations. But why talk about that -
| maybe because most of disproportionate nursing home death
| rates happened predominantly in blue states? God forbid
| someone draw attention to that! Quick - more handwaving
| about "lack of mobilization" is needed!
|
| Ventilators - we produced thousands of emergency
| ventilators that sat in warehouses waiting for a crises
| that never materialized. Then as we got more experience
| we learned ventilators actually make things worse and
| it's better to just change people's resting position.
| However those facts are not nearly as sexy or politically
| expedient as being able to blame the other side for
| lacking to produce something, so we still have people
| fixating on the non-existent ventilator crises to again
| deflect from other incompetence and also justify further
| "fixes".
|
| > Thousands descended on the Capitol building and took
| selfies during a violent overthrow attempt and the FBI
| has no idea who the majority of them were, depending on
| internet tips to identify them.
|
| lol - and the most preposterous propaganda of the year
| award. Entire city blocks repeatedly burning down over
| the summer during "mostly peaceful protests" and one
| incident started WHILE TRUMP WAS STILL SPEAKING is the
| end of western democracy as we know it. Yup. Trump lead.
| So violent that there were no fires. No statues toppled.
| No walls or paintings spray painted. All things that
| routinely happed in many American cities over and over
| for over a year but was hand waved off.
|
| Indeed, the vast majority of people "insurrecting" were
| walking between the velvet ropes taking pictures,
| smiling, chatting with the capital police. Several videos
| show the same capital police holding the doors open for
| them - but it was a violent insurrection.
|
| You see I watched most of it live from various streamers
| as it happened. I didn't just watch the carefully crafted
| media narrative. Yes there were some bad actors, but the
| cognitive dissonance and utterly disproportional response
| between what happened in those four hours vs. the entire
| year before is off the charts. If that was a violent
| insurrection and what happened over the summer were just
| mostly peaceful protests then we have gotten to levels of
| absurd gaslighting that even Orwell couldn't have
| imagined.
|
| >The state is far less organized and competent than you
| think if the US is any indication.
|
| Thank you for providing the biggest reason socialized
| medicine is an utterly ridiculous and downright scary
| proposition. Given your other positions this is a
| refreshingly frank take.
| dannyw wrote:
| I know HN isn't supposed to be about politics, but I want
| to thank you for presenting a well reasoned response.
| It's given be a lot to think about and realise how media
| is manipulated and biased.
| Apocryphon wrote:
| It sounds like a metadata situation where collecting
| AirDrop IDs is another piece of the puzzle that helps build
| a complete data profile of individuals. It may not be a
| huge issue, but it's certainly not a small one.
| captn3m0 wrote:
| I felt like I've read this vulnerability described before. Found
| this from 2 years ago: https://arstechnica.com/information-
| technology/2019/08/apple...
|
| Research links:
|
| https://hexway.io/research/apple-bleee/
|
| https://arxiv.org/pdf/1904.10600.pdf
|
| https://www.usenix.org/system/files/sec19fall_stute_prepub.p...
___________________________________________________________________
(page generated 2021-04-21 23:02 UTC)