via Apple
During the pro-democracy protests in Hong Kong, one tool emerged as a safe way to avoid censorship and tracking: AirDrop. Apple’s device-to-device AirDrop protocol made it easy to share protest information and pro-democracy leaflets digitally, without risking personal safety. AirDrop doesn’t reveal the real name of the sender, just their device name, which can be anything. Democracy advocates could set their devices to allow AirDrops from anyone, allowing regional device-to-device drops of information. It was a safe way to avoid the watchful eye of the Chinese government, cracking down on protestors with horific violence.
Apple caved to the government, creating an update to AiDrop that only allowed the devices to accept drops from anyone for 10 minutes at a time. It made communication more difficult, and virtually ended the ability to quickly send out messages to many people. However, it wasn’t far enough. China wanted Apple to reveal the names and information of everyone using AirDrop. Apple refused.
After all, they were already doing that.
A Chinese group, backed by the government, has announced they cracked AirDrop. They can see the senders, and even the receivers, of every AirDrop sent. The hack was easy, others had done the legwork for them years prior, all they needed was Apple not closing an easy-to-fix security hole for nearly 5 years.
Apple never fixed the issue. Now, many pro-democracy advocates are at risk.
Cracked AirDrop
Cracking AirDrop is surprisingly easy. When someone receives an AirDrop, they receive a hashed string containing the email address and phone number of the sender. Think of this as a jumbled mess. The algorithm that generates it never needs to turn it back into text, it just has to make sure that the jumbled text matches the expected hash. Hashing is a common tool in security. However, it’s usually implemented better than Apple has.
Apple’s hashing is not appropriately salted. This is the act of adding additional data to information during the hashing process. This protects against someone being able to crack hashed values for all devices, storing values in what’s called “Rainbow table.” A rainbow table attack creates a long list of known hashed values, to break any security the hashing process can provide. Basically, they know what combinations of characters create particular hashes, so they can quickly reverse-engineer a hashed value, producing a real name or phone number for a person.
A Known and Easily Fixed Issue
Credit: Voice of America Cantonese Service photographer Iris Tong, 2020, via Wikimedia Commons
Apple knew this was a security vulnerability back in 2019. In 2021, researchers not only demonstrated the flaws in AirDrop, they also showed how standard cryptography practices could make AirDrop secure and private. They showed how necessary this is by demonstrating that the sender of something could also get the information on the receiver. A person could just collect phone numbers and email addresses through AirDrop.
Apple knew of this issue in 2019, was reminded of the severity of the problem in 2021, and has done nothing. Now, in 2024, China can use it to arrest pro-freedom protesters.
The problem could be solved with simple salting. Randomized data added to the hash would be perfect for AirDrop, as it’s not a service that requires the storage of hashed values for later comparison. It only needs them in the moment. On top of that, researchers showed off their own PrivateDrop, which introduced further security to Apple’s platform. Despite having the solutions in hand, Apple did nothing.
Either tech debt is such a problem at Apple that they can’t fix small issues, or their priorities are not in their customer’s favor at this time.
Apple reportedly pointed to backwards compatibility as the reason for not fixing this security flaw earlier. However, Apple could simply require an update for AirDrop to only work between devices running a newer version of the OS if one is updated. It doesn’t even have to come with a complete OS update, it could come as an OTA update for all supported versions of iOS. Most iOS users update to the latest full version within months of its release anyway, backwards compatibility would not be a real pain point for consumers. Broadcasting their personal information to everyone around them by default, on the other hand, is a serious issue.
Apple limited the usefulness of AirDrop at China’s request in 2022. They refused to fix a security flaw that put their users at risk for over four years. Now this security flaw has created not only problems of personal information theft, but possible imprisonment as China’s government has cracked their protocol. When Beeper broke iMessage, Apple responded by fixing the problem within days. Why when this feature, popular with pro-democracy protesters in China, was revealed to be a security threat, did Apple do nothing? It’s a serious issue, now with an active exploit in the wild. Lives will be affected because Apple considered a flaw too small to fix or force updates to. Hopefully the spread of this knowledge will lead Apple to improve the security in their next AirDrop update.