The Cryptography behind AirDrop
• public
Table of contents
I decided to write some articles about the cryptography background of some stuff we use daily, to understand how it works.
These articles will be technical, but in a way that anybody, even without a math or cryptography background can easily understand.
I'm also not an expert on the subject, so feel free to correct me if I'm wrong on some definitions or parts.
What is AirDrop?
First of all, for those who are not in the Apple ecosystem, Airdrop is a service proposed by Apple to share files between different devices ( in the Apple ecosystem of course ).
It can be used to simply send pictures or files to anyone near you by simply sharing the file, without having data. And we will dig deep into how this can work and how this is secure or not.
If you want to send a picture to someone, you will get this page to select the people near you to send it :
And when another person receives the file, it will receive a notification like
There are also different modes you can select in the settings. You can simply set the Receiving to off and no one will be able to send you something.
You also have the Contact mode, and only the people in your contact list will be able to send you a file. Finally, the Everyone for 10 Minutes mode will let anyone send you a file during a time frame of 10 minutes before going back to the other setting.
But how this can be secure? You need to send your identity to other people to be able to see you and send you files. How this is handled?
I often use AirDrop, mainly to send myself pictures or files from my iPhone to my Mac, or simply to share pictures with friends, and knowing how it works is very interesting as knowing if it's possible to hack it.
The technical background of AirDrop
To send a file to someone, here is how AirDrop will work. You will make a secure connection between you and other people around you. To handle this, Apple uses a proprietary peer-to-peer Wi-Fi protocol called Apple Wireless Direct Link (AWDL) and makes a TLS connection.
Then, it will make a discovery request, sending to others using this connection a list of hashs of your identity related to your Apple ID.
Here, Apple uses SHA-256 and will take your email address and your phone number and compute the hash of them. So if your identity is :
- [email protected]
- +44234987092
It will send the following list of hash :
- c8e9aed41fab99760860f3bed8571aec1c2b7d3a137d70b00794bf68f7139d45
- b2cdd1c48dd8f36320d079dbd9338207720dd19570b789212db0d6bab47bfcb1
( In reality, it will truncate the hash, but for simplicity let's keep the whole size )
Then, the receiver will also compute the hash of all of his contacts and compare the result with the hashes of the sender. If he finds a match, then the receiver has the sender in his contact, so he can accept the files and send to to sender his identity.
Finally, using the secure connection, the sender can send the file to the receiver. And if the receiver doesn't find the hash in his contact list, the connection is aborted.
It looks simple, isn't it ? But how can we exploit this behavior? Is it really secure?
Is it anonymous?
Apple stands a lot for privacy, but looking at how this protocol is made, there is an issue with that, and it's the Chinese government that found it back in the beginning of 2024.
A Bloomberg report covered how the Chinese were able to extract sensitive information from AirDrop. Here was the problem at first :
In the subway, anyone was able to send any file or picture to strangers, thinking that this was anonymous and no one could trace them. And it was a pain, especially in China, where this was mainly used to send pictures to strangers.
The authorities decided to find a way to leak the identity of these users, but how?
As the sender sends his phone number and email hashed, you can simply hash every possible phone number or a lot of leaked emails or knew ones and make a database of it. Using it, you can then simply compare the hash received with those in the database and discover the phone number behind the sender without having it in your contact list.
This is called a Rainbow Table and it's used in other different attacks. So for the Chinese Authorities, it was simple to compute a database of all the hash of all the Chinese phone numbers as there are only a billion possibilities for the phone numbers, and then they were able to find the phone numbers of people sending dick pick in the subway.
After that, Apple decided to limit the Everyone mode to only 10 minutes and set the default mode to Contact Only, but this is not the best solution to avoid this attack.
How to protect against that?
From a personal perspective, you can't do anything except deactivate AirDrop or have a nonguessable email ( even if the phone number is still concerned ).
But there are cryptographic solution to avoid this issue and this is called Private Set Intersection ( PSI ) which is a protocol to handle this type of issue.
Using a PSI, Apple can fix this. This protocol will not leak any data to be found using Rainbow Tables and the receiver and sender will only be able to communicate if both are in contact with each other.
And if you want to know more about how it's possible, you can read the whole paper and slides made by the Darmstadt team who discovered this attack.
They also made a protocol named PrivateDrop that can be used to secure it and there is also an open-source alternative to AirDrop that uses it.
But why Apple didn't implement it on AirDrop? No one knows, but some people say that this is for political reasons with the Chinese government fighting the sender, or because this can be hard to implement worldwide, who knows?
I hope that you like this kind of article. Feel free to tell me if you want more stuff like that, I love making searches about tools we use every day to understand how this works and how can we attack it, to protect us and know what we use.
References
Matthew Green
Sead Fadilpašić
- https://www.usenix.org/system/files/sec21-heinrich.pdf
- https://www.usenix.org/system/files/sec21_slides_heinrich-alexander_0.pdf
