Apple's AirDrop is ?? ??? ??undeniably convenient for sending photos, videos, links, and more between iPhones, iPads, and Macs. But there's one thing you probably didn't know AirDrop's sharing: part of your phone number, which in the wrong hands, could be used to recover your full digits.
Security researchers at Hexway (via Ars Technica) have discovered a "flaw" in AirDrop that can used to obtain unsuspecting iPhone users' phone numbers using software installed on a laptop and a Bluetooth and WiFi adapter to sniff them out.
Because of the way AirDrop works — it uses Bluetooth LE (Low Energy) to create a peer-to-peer WiFi network between devices for sharing — it broadcasts partial hashesof an iPhone user's phone number in order establish the device as a sending/receiving contact when sending a file.
SEE ALSO: 9 hidden iOS 13 features you need to know aboutMore serious is if you use Apple's WiFi password sharing feature, you're exposing hashed parts of your phone number, but also your Apple ID and email address.
Now, although AirDrop's only beaming partial hashes – a.k.a. some numbers and letters that have been scrambled (Hexway says only the "first 3 bytes of the hashes" are broadcast) — the researchers concluded that there's "enough to identify your phone number" if somebody really wanted to do it.
The researchers shared one scenario in which a hacker could secretly sniff out iPhone users' phone numbers:
- Create a database of SHA256(phone_number):phone_number for their region; e.g., for Los Angeles it’s: (+1-213-xxx-xxxx, +1-310-xxx-xxxx, +1-323-xxx-xxxx, +1-424-xxx-xxxx, +1-562-xxx-xxxx, +1-626-xxx-xxxx, +1-747-xxx-xxxx, +1-818-xxx-xxxx, +1-818-xxx-xxxx)
- Run a special script on the laptop and take a subway train
- When somebody attempts to use AirDrop, get the sender’s phone number hash
- Recover the phone number from the hash
- Contact the user in iMessage; the name can be obtained using TrueCaller or from the device name, as it often contains a name, e.g., John’s iPhone).
Errata Security CEO Rob Graham confirmed to Ars Technica Hexway's software, shared to GitHub, does indeed work. "It’s not too bad, but it’s still kind of creepy that people can get the status information, and getting the phone number is bad."
Scary as this "flaw" appears, it's very unlikely anyone will go through these lengths to recover your phone number. Hexway's researchers even admit that the partially-shared — and we can't stress this enough — information is a necessity to how AirDrop works.
"This behavior is more a feature of the work of the ecosystem than vulnerability," reports Hexway. The researchers further explained that they've "detected this behavior in the iOS versions starting from 10.3.1 (including iOS 13 beta)."
Scary as this "flaw" appears, it's very unlikely anyone will go through these lengths to recover your phone number.
Older iPhones, pre-iPhone 6S, however, appear to be safe based on their findings.
"Old devices (like all before iPhone 6s) are not sending Bluetooth LE messages continuously even if they have updated OS version," reports Hexway. "They send only limited number of messages (for example when you navigate to the Wi-Fi settings menu) probably Apple does that to save battery power on an old devices."
So, how can you stop potential snoopers from sniffing your Bluetooth information out? Turn off Bluetooth. Yes, that means you won't be able to connect AirPods or an Apple Watch to your iPhone, but if that's what will help you sleep at night, then it's the only option.
We've reached out to Apple for comment on Hexway's security findings and will update this story if we receive a response.
Topics Apple Cybersecurity iPhone Privacy
Into the Meat Grinder
NYT's The Mini crossword answers for December 22
Best Apple Watch Series 9 deal: Slash $100 off on the Best Buy app only
Best Apple Watch Series 9 deal: Slash $100 off on the Best Buy app only
Japanese Artist to Commemorate ‘Comfort Women’
How to watch Cal vs. Texas Tech football livestreams: kickoff time, streaming deals, and more
Coastal Carolina vs. San Jose State football livestreams: Kickoff time, streaming deals, and more
Wordle today: The answer and hints for December 18
Local Temples to Commemorate Buddha’s Birth
How to watch Fresno State vs. NMSU football livestreams: kickoff time, streaming deals, and more
Yuasa’s ‘Mind Game’ at Nuart
Wordle today: The answer and hints for December 22
Best earbud deal: Get the limited edition holiday
'Wonka' soars to the top of the box office with $14.4 million opening day
Reaching Out, Reuniting
Wordle today: The answer and hints for December 20
Apple is finally selling standalone USB
Best Buy 3
NEA Big Read to Focus on ‘When the Emperor Was Divine’
Wordle today: The answer and hints for December 23
JFLA Presents Music MondaysCartoonist Willie Ito to Receive Animation’s ‘Oscar’Japan PM Dissolves Lower House for Oct. 31 National ElectionCartoonist Willie Ito to Receive Animation’s ‘Oscar’‘We Hereby Refuse: JA Resistance to Wartime Incarceration’ to Hit Bookstores May 18NHK World's 'Dining with the Chef' Earns Taste Awards HonorJABA Mourns Passing of Judge FujisakiJapanese Restaurant Association Festival Set for Nov. 14 at JACCCArt Professor Gets Up to 12 Years for Attack on ColleagueCAPAC Chair Congratulates Fukushima, Chaudhary Remembering 'Uncle Hershey' Rep. Murphy Reflects on Time in Congress, Thanks Constituents 76 JA, Asian American Organizations Call for Presidential Commission on Black Reparations Craft Artist Publishes Japanese Handicraft Torrance Cherry Blossom Festival Returns This Weekend CAPAC Chair Cites Anti Terasaki Budokan to Showcase Programs on Jan. 14 New Year’s Eve/New Year’s Day Events at Gardena Buddhist Church Muratsuchi Named Chair of Assembly Education Committee Funds Being Raised for Family of Slain Security Guard
0.1894s , 9760.8828125 kb
Copyright © 2025 Powered by 【?? ??? ??】Researchers discover AirDrop is leaking part of your phone number,Global Hot Topic Analysis
