Cybersecurity News in Asia

Features
- Featured
  
  How to talk to your board and C-suite about cyber-preparedness
  
  Thursday, June 1, 2023, 11:33 AM Asia/Singapore | Features, Newsletter, Tips
- Featured
  
  Ransomware trends APAC organizations should be mindful of
  
  Tuesday, May 30, 2023, 2:02 PM Asia/Singapore | Features, Malware & Ransomware
- Featured
  
  Generative AI – the cybercriminal’s latest tool of terror?
  
  Tuesday, May 23, 2023, 11:20 AM Asia/Singapore | Features
News
- Featured
  
  Automation and AI increase bot attack sophistication, evasiveness
  
  Thursday, June 1, 2023, 2:45 PM Asia/Singapore | Cyberthreat Landscape, News, Newsletter
- Featured
  
  Research sheds light on Cryptor-as-a-Service in the Dark Web
  
  Tuesday, May 30, 2023, 10:33 AM Asia/Singapore | News, Newsletter
- Featured
  
  Take a peek at ransomware victims’ failure points
  
  Tuesday, May 30, 2023, 10:13 AM Asia/Singapore | Malware & Ransomware, News, Newsletter
Opinions
Tips
Whitepapers
Awards 2022
Directory
E-Learning

News

Attention Apple product users: your personal data is being airdropped to hackers!

By CybersecAsia editors | Wednesday, April 28, 2021, 11:28 AM Asia/Singapore

Two years ago, a security flaw in the AirDrop feature was disclosed, but nothing has been done to address it.

Back in May 2019, Apple Computer’s AirDrop feature was discovered by cybersecurity researchers to contain a security flaw that leaked personal data. Despite being informed of this serious bug, Apple has not fixed it to date.

The AirDrop feature uses Wi-Fi and Bluetooth Low Energy to facilitate wireless file transfers between devices in the Apple ecosystem. There is some built-in security involving full SHA-256 hashes of the device owners’ phone numbers and email addresses, but hackers have found a way to crack the system using brute-force attacks.

According to the researchers, every time users open a sharing panel on macOS or iOS, they are leaking hashes and disclosing their details. Right now, the only way to prevent this from happening is to set AirDrop’s discovery setting to “no one” in the system settings and to refrain from opening the sharing pane.

Two years of heightened risk

While the AirDrop feature promoted usability, the weakness of its security algorithm was overlooked. One cybersecurity expert noted that, some can argue that the leaked information is still hashed and hard to crack, but today’s abundance of processing power coupled with the lack of high entropy (randomness) in encrypting phone numbers means that brute force methods can crack such hashes in no time.

Commented Boris Cipot, Senior Security Engineer, Synopsys Software Integrity Group: “What is perhaps even more concerning is that this has been a known issue for two years and no publicly-announced efforts have been made to boost the security around this feature. The leaked information including phone numbers and email addresses, used to identify devices to which users connect, can also be used to tie the owner to services or other points of interest they may want to keep private.”

Cipot said that maintaining a well-structured application is a balancing act in the upholding the concept of the “security triangle” which ties functionality and usability together. Such inter-dependencies between these three attributes in software mean that boosting usability and functionality at the expense of security is not acceptable.

In the meantime, researchers had proposed a more secure implementation of AirDrop called PrivateDrop to Apple, without any gratification.