Apple products might cost a small fortune, but one neat thing about its ecosystem is it’s easy to seamlessly share files between devices. Except according to a newly published report, there might be a creepy downside to all that convenience. If you’ve got Bluetooth enabled and use AirDrop or share your wifi passwords, anyone with a bit of know-how can nab your actual phone number.
Google’s Project Zero Finds Six ‘Interactionless’ iOS Vulnerabilities in iMessage App
Apple released bug fixes for five major security issues in iOS that can be exploited via its…
Read more Read
While Apple famously says “What happens on your iPhone, stays on your iPhone”, sharing features inevitably require devices to…well share information. That said, AirDrop and wifi password sharing broadcasts a partial SHA256 hash to all devices in your vicinity every time you hit share. That means, the next time you try to AirDrop a cursed photo of say, live-action Sonic the Hedgehog, to your fellow bleary-eyed commuters on the train, you could also be broadcasting your actual phone number to anyone smart enough to scoop it up. Meanwhile, password sharing includes partial hashes of not only your phone number but also your AppleID and email. You can see it in action in the video below.
Hexway, the cybersecurity researchers that wrote the initial report, also included the scripts in its white paper. Ars Technica, which initially spotted Hexway’s report, noted a researcher used Hexway’s scripts to then scoop up details of over a dozen iPhones and Apple Watches in a bar in just a minute or two. That result isn’t entirely surprising, but it’s not exactly comforting either.
Gizmodo reached out to Apple for comment about whether it was aware of the issue and if it had plans to address it, and we’ll update if we hear back.
The annoying thing is there’s not really a way around this, other than to disable Bluetooth on your phone when you’re out in public. Even so, it’s hard to ding Apple too much on this. Apple using partial hashes is an indication it’s at least trying to protect customer privacy; it’s just that features like AirDrop inherently require you to share personal data. That said, if this bugs you out, it’s easily avoidable—just turn off AirDrop and don’t share wifi passwords when in environments you don’t trust. It may be irksome, but it’s also a handy reminder that convenience often comes at the cost of privacy.