iPhone’s AirDrop Security Vulnerability Can Leak Your Phone Number

BY Rajesh Pandey

Published 1 Aug 2019

iPhone Xs Max front

A security flaw has been discovered in AirDrop that allows a person with a laptop and scanning software to get your phone number. A report published earlier this week by Hexway claims that it is possible to extract an iPhone’s battery status, Wi-Fi status, device name, OS version, and even the phone number if Bluetooth is enabled on it.

If the Bluetooth of your iPhone is turned on, it is broadcasting a host of details. Things become worse when one tries to use AirDrop to share files with another user or shares the Wi-Fi password using their iPhone. In such a scenario, with the right set of tools and know-how, a hacker can retrieve your phone number.

In the event someone is using AirDrop to share a file or image, they’re broadcasting a partial SHA256 hash of their phone number. In the event Wi-Fi password sharing is in use, the device is sending partial SHA256 hashes of its phone number, the user’s email address, and the user’s Apple ID. While only the first three bytes of the hash are broadcast, researchers with security firm Hexway (which published the research) say those bytes provide enough information to recover the full phone number.

Below is a video showing how the vulnerability can be used:

As security researchers of Hexway note, this is more of an issue with Apple’s ecosystem and not iOS. The issue is present on all iOS versions starting from iOS 10.3.1. Right now, the only workaround to this vulnerability is to turn off Bluetooth on your iPhone.

Our Take

I won’t really consider this vulnerability serious since it requires a certain set of scenarios and know-how to be exploited. Nonetheless, many iPhone owners who value their privacy might feel uncomfortable about it. In such a case, you can turn off the Bluetooth on your iPhone until Apple gets around to rolling out an update to fix the issue.

[Via Hexway, Ars Technica]