Toggle Dark Mode
While iMessage has been the focus of some pretty big security flaws in recent weeks, thereâ€™s a new vulnerability thatâ€™s been discovered that could allow hackers to find out your phone number simply by being in close proximity to your iPhone, without you having any idea at all that youâ€™ve been compromised.
Discovered by ArsTechnica, a recently published report pokes holes in Appleâ€™s marketing stance that â€œWhat happens on your iPhone stays on your iPhoneâ€ revealing that many of the wireless sharing features built into iOS may leak more information than people realize. Useful features like AirDrop, Handoff, and Wi-Fi sharing broadcast enough information over Bluetooth that anybody nearby can get quite a bit of status information from your device, including its mobile phone number.
According to the report, simply having Bluetooth enabled on an iPhone (or iPad), broadcasts a number of details that you may not have thought of, all of which are arguably necessary to make features like AirDrop work. For example, with the right tools, a hacker could determine the name of your device, whether itâ€™s currently being used, what version of iOS itâ€™s running, whether Wi-Fi is enabled, and the remaining battery life (or if itâ€™s charging).
While most of this information is relatively innocuous, the researchers discovered that when actually using AirDrop or Wi-Fi Sharing, your deviceâ€™s phone number is also transmitted. While this is sent as a â€œpartial cryptographic hashâ€ itâ€™s not difficult for somebody who knows what theyâ€™re doing to convert that into a complete phone number. In the case of an iPad, iPod touch, or Mac, the packets instead use a static hardware address known as a MAC address (the term is short for â€œMedia Access Controlâ€ and is not related to the Mac platform or operating system).
Both AirDrop and Wi-Fi Sharing may also in some cases broadcast a partial hash of the userâ€™s e-mail address and their Apple ID. While only a partial hash is sent, the security firm, that discovered the original flaw, Hexway, says that those few bytes are enough to allow them to reconstruct the full phone number, although it didnâ€™t comment on the e-mail address or Apple ID, leaving us to assume that those couldnâ€™t be decoded.
Why is this happening?
In order for Apple to make AirDrop and Wi-Fi Sharing work in a secure, private, and authenticated way, itâ€™s necessary for devices to exchange data in some manner so that they can â€œhandshakeâ€ with each other and identify who theyâ€™re talking to. This is why AirDropâ€™s â€œContacts Onlyâ€ feature works â€”Â when AirDrop is set to this mode, not only will your iPhone only accept AirDrop requests from people already listed in your contacts, but your iPhone is actually invisible to anybody who isnâ€™t in your contacts â€” you wonâ€™t show up in their list of AirDrop destinations.
Itâ€™s not difficult to see how this can only work if all of the nearby phones are broadcasting enough information for your iPhone to make that determination. In other words, your iPhone has to â€œseeâ€ all of the other iPhones that are trying to AirDrop to it, and then silently refuse to acknowledge those ones that arenâ€™t authorized by being in your contacts list.
Perhaps ironically, this is done in order to protect your privacy, working in the background to make your iPhone invisible before anybody can even try to AirDrop something to you.
Should I be worried?
The exploit definitely works, but itâ€™s probably not something you need to be too concerned about, since itâ€™s not a â€œtargetedâ€ attack. In other words, while a hacker will be able to find a list of phone numbers being broadcast by nearby iPhones, theyâ€™re very unlikely to be able to figure out which one is your number unless youâ€™re the only person within Bluetooth range â€” and, unlike the form of Bluetooth used for headphones, which is only good for around 30 feet, Bluetooth LE can work at much greater distances, so the list wonâ€™t necessarily be confined only to people in the same room.
For example, the report notes that Errata Security CEO Rob Graham was able to install a proof-of-concept of the exploit on a laptop with a wireless packet sniffer, and was able to â€œcapture details of more than a dozen iPhones and Apple Watchesâ€ that were within radio range of a bar he was sitting in. However, while he obviously recognized his own iPhone on the list of devices, he wasnâ€™t able to identify which devices the other numbers belonged to.
That said, a determined hacker who wanted to target you specifically might be able to use the other information thatâ€™s available to pin down your iPhone more specifically. For example, battery and charging status could help identify you if youâ€™re the only one in the room with your iPhone plugged in, but that still wouldnâ€™t necessarily be conclusive. More likely, a stalker could follow you to multiple locations, narrowing the list down to your phone number simply by process of elimination.
Of course, itâ€™s also easy to see how this exploit could be used to collect all of the phone numbers in a bar, restaurant, or airport lounge for more general purposes, such as sending out text message spam. Itâ€™s worth noting, however, that this still has to be a specific attack. Your phone numbers arenâ€™t just leaking out to anybody with a Wi-Fi sniffer nearby â€” they have to be running specific code to deconstruct the hashes back into phone numbers. In other words, they have to be trying to do this quite deliberately.
How do I protect myself?
Arguably, the only sensitive information thatâ€™s leaking out from here is your phone number, and if youâ€™re concerned about this, the most reliable solution is to turn Bluetooth off entirely when youâ€™re not using it. This of course can be a nuisance if youâ€™re an Apple Watch user, or regularly use AirPods or other wireless headphones, but itâ€™s the one way to guarantee that NO information leaks out.
Itâ€™s also a good idea to choose a more obscure name for your actual device. If your iPhone is broadcasting â€œBob Smithâ€™s iPhoneâ€ itâ€™s going to be a lot easier to match the phone number to your actual identity. However, you can easily set your iPhoneâ€™s name to something thatâ€™s not personally identifiable just by going into the Settings app, choosing General, About, and tapping on the name at the top.
However, since the phone number is only transmitted for AirDrop and Wi-Fi Sharing, itâ€™s also easy enough to disable or avoid using these features. AirDrop can simply be switched off unless youâ€™re specifically using it, while you can avoid leaking data via Wi-Fi Sharing by simply not attempting to join any new Wi-FI networks â€” the feature only kicks in when you join a new network in order to ask other nearby devices if they have a password they can share with you.
This is the classic trade-off that companies like Apple try to make when balancing ease of use vs privacy/security. In general, automatic discovery protocols often require the exchange of personal information in order to make them workâ€”and as suchâ€”can reveal things that could be considered sensitive. Most security and privacy minded folks I know disable automatic discovery protocols like AirDrop, etc just out of principle.Ashkan Soltani, ,independent privacy and security researcher, speaking to ArsTechnica
Unfortunately, while Apple may find more secure ways to protect data like phone numbers when itâ€™s travelling over the air between devices, eliminating its use entirely will be more of a challenge, since itâ€™s needed for devices to identify themselves to each other when using protocols like AirDrop. Further, the way that Apple has otherwise implemented privacy in AirDrop seems to us like a much better tradeoff â€” weâ€™d rather have our iPhone remain invisible in the normal AirDrop screens that every iPhone user knows how to access than worry about our phone number being deliberately intercepted and decrypted by hackers using specialized tools.