Why AirDrop May Not Be AirTight

Your personal information could be available to strangers

Key Takeaways

  • AirDrop is great for sending photos to your friends, but a recently discovered flaw means strangers could also get your contact information.
  • Strangers could see your phone number and email address just by opening an iOS or macOS sharing pane within the Wi-Fi range of other people.
  • It’s been shown that anonymous users can push photos or files to target devices using AirDrop.
Concept of MacBook file sharing on blackboard

fatido / Getty Images

Apple’s AirDrop feature is a handy way to share things, but it also can be a privacy risk. 

A recently discovered AirDrop flaw lets strangers see your phone number and email address just by opening an iOS or macOS sharing pane within the Wi-Fi range of other people. It’s one of a range of privacy vulnerabilities Mac and iOS users should know about. 

"Our iOS devices are connected to countless social media apps, third-party messaging platforms, and networking sites that allow people to share all sorts of content with each other," Hank Schless, a security expert at cybersecurity firm Lookout, said in an email interview. "If you receive any sort of file from an unknown contact, you should always treat it as potentially dangerous until proven otherwise."

Apple Stays Silent on a Fix

The flaws in the security protocols for AirDrop reportedly were uncovered in 2019 by researchers, who let Apple know about the problem. However, the company has yet to provide a solution. A recent paper found the issue is more extensive than previously known.

"As sensitive data is typically exclusively shared with people who users already know, AirDrop only shows receiver devices from address book contacts by default," the report stated. "To determine whether the other party is a contact, AirDrop uses a mutual authentication mechanism that compares a user’s phone number and email address with entries in the other user’s address book."

"Getting an AirDrop notification from an unknown individual is a massive red flag."

The problem with using AirDrop for data theft appears to be limited to phone numbers and email addresses, which could be used in future targeted phishing attacks, cybersecurity expert Patrick Kelley said in an email interview. 

Jacob Ansari, a security expert at Schellman & Company, a global independent security and privacy compliance assessor, agreed that phishing could be the goal of any potential hackers.

"An attacker with proximity to a target device can obtain a username (probably email address) and phone number very easily," he said in an email interview. "It is perhaps most useful in obtaining the phone number of a particular victim, such as a celebrity or particular target (e.g., a company CEO), but is also useful in then mounting a more direct phishing or similar attack against less famous people."

AirDrop as it appears on MacBooks running Big Sur

Apple

It’s not just the recently discovered flaw that’s a problem with AirDrop. Over the years, it’s been shown that anonymous users can push photos or files to target devices using AirDrop.

"This has been used to disrupt public multimedia events by AirDropping [adult] images," Kelley said. "That being said, there was a 'positivity campaign' where anonymous users were AirDropping motivational images to target devices."

Don’t Panic, Experts Say

But don’t worry too much about the AirDrop flaw, Oliver Tavakoli, the chief technology officer at cybersecurity firm Vectra, said in an email interview. The attacker has to be in relatively close physical proximity to you, and there is some work required to crack your email address and phone number. Of course, Apple can and should fix this flaw. 

"However, let’s keep this in perspective," added Tavakoli, "if the described hack succeeds, an attacker will have the email address and phone number of a nearby stranger. Not exactly the end of the world."

Group of people having a business meeting

filadendron / Getty Images

While Apple hasn’t yet fixed the AirDrop problem, there are things you can do to help mitigate it. Users should disable AirDrop if it’s not being used, Kelley said. You also could consider using an open-source project named PrivateDrop, which claims to have resolved the contact list verification process. The solution is free to use as an AirDrop replacement. 

But the best thing users can do is be wary of who is trying to send them files, Schless said. 

"Getting an AirDrop notification from an unknown individual is a massive red flag," he added. "Run your mobile devices on a policy of least necessary access and privilege. Actively try to reduce the number of data and device access permissions you allow your apps to have in order to minimize potential exposure to cyber threats."

Was this page helpful?