AirDrop Could Be Leaking Your Phone Number

While iMessage has been the focus of some pretty big security flaws in recent weeks, there’s a new vulnerability that’s been discovered that could allow hackers to find out your phone number simply by being in close proximity to your iPhone, without you having any idea at all that you’ve been compromised.

Discovered by ArsTechnica, a recently published report pokes holes in Apple’s marketing stance that “What happens on your iPhone stays on your iPhone” revealing that many of the wireless sharing features built into iOS may leak more information than people realize. Useful features like AirDrop, Handoff, and Wi-Fi sharing broadcast enough information over Bluetooth that anybody nearby can get quite a bit of status information from your device, including its mobile phone number.

According to the report, simply having Bluetooth enabled on an iPhone (or iPad), broadcasts a number of details that you may not have thought of, all of which are arguably necessary to make features like AirDrop work. For example, with the right tools, a hacker could determine the name of your device, whether it’s currently being used, what version of iOS it’s running, whether Wi-Fi is enabled, and the remaining battery life (or if it’s charging).

While most of this information is relatively innocuous, the researchers discovered that when actually using AirDrop or Wi-Fi Sharing, your device’s phone number is also transmitted. While this is sent as a “partial cryptographic hash” it’s not difficult for somebody who knows what they’re doing to convert that into a complete phone number. In the case of an iPad, iPod touch, or Mac, the packets instead use a static hardware address known as a MAC address (the term is short for “Media Access Control” and is not related to the Mac platform or operating system).

Both AirDrop and Wi-Fi Sharing may also in some cases broadcast a partial hash of the user’s e-mail address and their Apple ID. While only a partial hash is sent, the security firm, that discovered the original flaw, Hexway, says that those few bytes are enough to allow them to reconstruct the full phone number, although it didn’t comment on the e-mail address or Apple ID, leaving us to assume that those couldn’t be decoded.

Why is this happening?

In order for Apple to make AirDrop and Wi-Fi Sharing work in a secure, private, and authenticated way, it’s necessary for devices to exchange data in some manner so that they can “handshake” with each other and identify who they’re talking to. This is why AirDrop’s “Contacts Only” feature works — when AirDrop is set to this mode, not only will your iPhone only accept AirDrop requests from people already listed in your contacts, but your iPhone is actually invisible to anybody who isn’t in your contacts — you won’t show up in their list of AirDrop destinations.

It’s not difficult to see how this can only work if all of the nearby phones are broadcasting enough information for your iPhone to make that determination. In other words, your iPhone has to “see” all of the other iPhones that are trying to AirDrop to it, and then silently refuse to acknowledge those ones that aren’t authorized by being in your contacts list.

Perhaps ironically, this is done in order to protect your privacy, working in the background to make your iPhone invisible before anybody can even try to AirDrop something to you.

Should I be worried?

The exploit definitely works, but it’s probably not something you need to be too concerned about, since it’s not a “targeted” attack. In other words, while a hacker will be able to find a list of phone numbers being broadcast by nearby iPhones, they’re very unlikely to be able to figure out which one is your number unless you’re the only person within Bluetooth range — and, unlike the form of Bluetooth used for headphones, which is only good for around 30 feet, Bluetooth LE can work at much greater distances, so the list won’t necessarily be confined only to people in the same room.

For example, the report notes that Errata Security CEO Rob Graham was able to install a proof-of-concept of the exploit on a laptop with a wireless packet sniffer, and was able to “capture details of more than a dozen iPhones and Apple Watches” that were within radio range of a bar he was sitting in. However, while he obviously recognized his own iPhone on the list of devices, he wasn’t able to identify which devices the other numbers belonged to.

That said, a determined hacker who wanted to target you specifically might be able to use the other information that’s available to pin down your iPhone more specifically. For example, battery and charging status could help identify you if you’re the only one in the room with your iPhone plugged in, but that still wouldn’t necessarily be conclusive. More likely, a stalker could follow you to multiple locations, narrowing the list down to your phone number simply by process of elimination.

Of course, it’s also easy to see how this exploit could be used to collect all of the phone numbers in a bar, restaurant, or airport lounge for more general purposes, such as sending out text message spam. It’s worth noting, however, that this still has to be a specific attack. Your phone numbers aren’t just leaking out to anybody with a Wi-Fi sniffer nearby — they have to be running specific code to deconstruct the hashes back into phone numbers. In other words, they have to be trying to do this quite deliberately.

How do I protect myself?

Arguably, the only sensitive information that’s leaking out from here is your phone number, and if you’re concerned about this, the most reliable solution is to turn Bluetooth off entirely when you’re not using it. This of course can be a nuisance if you’re an Apple Watch user, or regularly use AirPods or other wireless headphones, but it’s the one way to guarantee that NO information leaks out.

It’s also a good idea to choose a more obscure name for your actual device. If your iPhone is broadcasting “Bob Smith’s iPhone” it’s going to be a lot easier to match the phone number to your actual identity. However, you can easily set your iPhone’s name to something that’s not personally identifiable just by going into the Settings app, choosing General, About, and tapping on the name at the top.

However, since the phone number is only transmitted for AirDrop and Wi-Fi Sharing, it’s also easy enough to disable or avoid using these features. AirDrop can simply be switched off unless you’re specifically using it, while you can avoid leaking data via Wi-Fi Sharing by simply not attempting to join any new Wi-FI networks — the feature only kicks in when you join a new network in order to ask other nearby devices if they have a password they can share with you.

This is the classic trade-off that companies like Apple try to make when balancing ease of use vs privacy/security. In general, automatic discovery protocols often require the exchange of personal information in order to make them work—and as such—can reveal things that could be considered sensitive. Most security and privacy minded folks I know disable automatic discovery protocols like AirDrop, etc just out of principle.

CommentAshkan Soltani, ,independent privacy and security researcher, speaking to ArsTechnica

Unfortunately, while Apple may find more secure ways to protect data like phone numbers when it’s travelling over the air between devices, eliminating its use entirely will be more of a challenge, since it’s needed for devices to identify themselves to each other when using protocols like AirDrop. Further, the way that Apple has otherwise implemented privacy in AirDrop seems to us like a much better tradeoff — we’d rather have our iPhone remain invisible in the normal AirDrop screens that every iPhone user knows how to access than worry about our phone number being deliberately intercepted and decrypted by hackers using specialized tools.