Researchers discover AirDrop is leaking part of your phone number

Apple’s AirDrop is undeniably convenient for sending photos, videos, links, and more between iPhones, iPads, and Macs. But there’s one thing you probably didn’t know AirDrop’s sharing: part of your phone number, which in the wrong hands, could be used to recover your full digits.

Security researchers at Hexway (via Ars Technica) have discovered a “flaw” in AirDrop that can used to obtain unsuspecting iPhone users’ phone numbers using software installed on a laptop and a Bluetooth and WiFi adapter to sniff them out.

Because of the way AirDrop works — it uses Bluetooth LE (Low Energy) to create a peer-to-peer WiFi network between devices for sharing — it broadcasts partial hashes of an iPhone user’s phone number in order establish the device as a sending/receiving contact when sending a file.

More serious is if you use Apple’s WiFi password sharing feature, you’re exposing hashed parts of your phone number, but also your Apple ID and email address.

Now, although AirDrop’s only beaming partial hashes – a.k.a. some numbers and letters that have been scrambled (Hexway says only the “first 3 bytes of the hashes” are broadcast) — the researchers concluded that there’s “enough to identify your phone number” if somebody really wanted to do it.

The researchers shared one scenario in which a hacker could secretly sniff out iPhone users’ phone numbers:

– Create a database of SHA256(phone_number):phone_number for their region; e.g., for Los Angeles it’s: (+1-213-xxx-xxxx, +1-310-xxx-xxxx, +1-323-xxx-xxxx, +1-424-xxx-xxxx, +1-562-xxx-xxxx, +1-626-xxx-xxxx, +1-747-xxx-xxxx, +1-818-xxx-xxxx, +1-818-xxx-xxxx)

– Run a special script on the laptop and take a subway train

– When somebody attempts to use AirDrop, get the sender’s phone number hash

– Recover the phone number from the hash

– Contact the user in iMessage; the name can be obtained using TrueCaller or from the device name, as it often contains a name, e.g., John’s iPhone).

Errata Security CEO Rob Graham confirmed to Ars Technica Hexway’s software, shared to GitHub, does indeed work. “It’s not too bad, but it’s still kind of creepy that people can get the status information, and getting the phone number is bad.”

Scary as this “flaw” appears, it’s very unlikely anyone will go through these lengths to recover your phone number. Hexway’s researchers even admit that the partially-shared — and we can’t stress this enough — information is a necessity to how AirDrop works.

“This behavior is more a feature of the work of the ecosystem than vulnerability,” reports Hexway. The researchers further explained that they’ve “detected this behavior in the iOS versions starting from 10.3.1 (including iOS 13 beta).”

Scary as this “flaw” appears, it’s very unlikely anyone will go through these lengths to recover your phone number.

Older iPhones, pre-iPhone 6S, however, appear to be safe based on their findings. 

“Old devices (like all before iPhone 6s) are not sending Bluetooth LE messages continuously even if they have updated OS version,” reports Hexway. “They send only limited number of messages (for example when you navigate to the Wi-Fi settings menu) probably Apple does that to save battery power on an old devices.”

So, how can you stop potential snoopers from sniffing your Bluetooth information out? Turn off Bluetooth. Yes, that means you won’t be able to connect AirPods or an Apple Watch to your iPhone, but if that’s what will help you sleep at night, then it’s the only option. 

We’ve reached to Apple for comment on Hexway’s security findings and will update this story if we receive a response.