idw – Informationsdienst Wissenschaft

Nachrichten, Termine, Experten

Grafik: idw-Logo
Grafik: idw-Logo

idw - Informationsdienst
Wissenschaft

Science Video Project
idw-Abo

idw-News App:

AppStore

Google Play Store



Instanz:
Teilen: 
22.04.2021 14:58

Apple AirDrop shares more than files: TU-Researchers discover significant privacy leak in Apple's file-sharing service

Bettina Bastian Stabsstelle Kommunikation und Medien
Technische Universität Darmstadt

    Apple users can share files with each other using AirDrop. But studies by TU researchers at the Department of Computer Science show that uninvited people can also tap into data. The research team developed a system that could replace the insecure AirDrop. Apple has not yet closed the discovered security gap – the users of more than 1.5 billion Apple devices are still vulnerable.

    Pictures, presentations, or videos – for users of iPhones and macBooks it is extremely comfortable to share files via AirDrop, a service that enables the direct transfer of data between Apple devices. As sensitive data is typically exclusively shared with people who users already know, AirDrop only shows receiver devices from address book contacts by default. To determine whether the other party is a contact, AirDrop uses a mutual authentication mechanism that compares a user's phone number and email address with entries in the other user's address book.

    A team of researchers from the Secure Mobile Networking Lab (SEEMOO) and the Cryptography and Privacy Engineering Group (ENCRYPTO) at TU Darmstadt took a closer look at this mechanism and discovered a severe privacy leak.

    As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.

    The discovered problems are rooted in Apple's use of hash functions for "obfuscating" the exchanged phone numbers and email addresses during the discovery process. However, researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.

    New cryptographic protocol guarantees privacy

    The research team also developed a solution named “PrivateDrop” to replace the flawed original AirDrop design. PrivateDrop is based on optimized cryptographic private set intersection protocols that can securely perform the contact discovery process between two users without exchanging vulnerable hash values. The researchers' iOS/macOS implementation of PrivateDrop shows that it is efficient enough to preserve AirDrop's exemplary user experience with an authentication delay well below one second.

    The researchers informed Apple about the privacy vulnerability already in May 2019 via responsible disclosure. So far, Apple has neither acknowledged the problem nor indicated that they are working on a solution. This means that the users of more than 1.5 billion Apple devices are still vulnerable to the outlined privacy attacks. Users can only protect themselves by disabling AirDrop discovery in the system settings and by refraining from opening the sharing menu.

    The researchers described their results in a scientific paper that will be presented in August at the renowned USENIX Security Symposium.


    Wissenschaftliche Ansprechpartner:

    M.Sc. Christian Weinert
    Cryptography and Privacy Engineering Group (ENCRYPTO)
    Department of Computer Science
    weinert@encrypto.cs.tu-darmstadt.de

    Dr.-Ing. Milan Stute
    Secure Mobile Networking Lab (SEEMOO)
    Department of Computer Science
    mstute@seemoo.tu-darmstadt.de


    Originalpublikation:

    Alexander Heinrich, Matthias Hollick, Thomas Schneider, Milan Stute, and Christian Weinert. PrivateDrop: Practical Privacy-Preserving Authentication for Apple AirDrop. 30th USENIX Security Symposium, 2021. https://www.usenix.org/conference/usenixsecurity21/presentation/heinrich


    Weitere Informationen:

    https://www.tu-darmstadt.de/universitaet/aktuelles_meldungen/einzelansicht_31116...


    Bilder

    Merkmale dieser Pressemitteilung:
    Journalisten, Wissenschaftler, jedermann
    Informationstechnik
    überregional
    Forschungsergebnisse
    Englisch


     

    Hilfe

    Die Suche / Erweiterte Suche im idw-Archiv
    Verknüpfungen

    Sie können Suchbegriffe mit und, oder und / oder nicht verknüpfen, z. B. Philo nicht logie.

    Klammern

    Verknüpfungen können Sie mit Klammern voneinander trennen, z. B. (Philo nicht logie) oder (Psycho und logie).

    Wortgruppen

    Zusammenhängende Worte werden als Wortgruppe gesucht, wenn Sie sie in Anführungsstriche setzen, z. B. „Bundesrepublik Deutschland“.

    Auswahlkriterien

    Die Erweiterte Suche können Sie auch nutzen, ohne Suchbegriffe einzugeben. Sie orientiert sich dann an den Kriterien, die Sie ausgewählt haben (z. B. nach dem Land oder dem Sachgebiet).

    Haben Sie in einer Kategorie kein Kriterium ausgewählt, wird die gesamte Kategorie durchsucht (z.B. alle Sachgebiete oder alle Länder).