Apple knew AirDrop users could be identified and tracked as early as 2019, researchers say

Jan 12, 2024, 9:59 AM

A still image frame from the Apple NameDrop tutorial in the "Tips" app found on any iPhone. (Apple ...

A still image frame from the Apple NameDrop tutorial in the "Tips" app found on any iPhone. (Apple Tips)

(Apple Tips)

Washington (CNN) — Security researchers warned Apple as early as 2019 about vulnerabilities in its AirDrop wireless sharing function that Chinese authorities claim they recently used to track down users of the feature, the researchers told CNN, in a case that experts say has sweeping implications for global privacy.

The Chinese government’s actions targeting a tool that Apple customers around the world use to share photos and documents — and Apple’s apparent inaction to address the flaws — revive longstanding concerns by US lawmakers and privacy advocates about Apple’s relationship with China and about authoritarian regimes’ ability to twist US tech products to their own ends.

AirDrop lets Apple users who are near each other share files using a proprietary mix of Bluetooth and other wireless connectivity without having to connect to the internet. The sharing feature has been used by pro-democracy activists in Hong Kong and the Chinese government has cracked down on the feature in response.

A Chinese tech firm, Beijing-based Wangshendongjian Technology, was able to compromise AirDrop to identify users on the Beijing subway accused of sharing “inappropriate information,” judicial authorities in Beijing said this week.

Although Chinese officials portrayed the exploit as an effective law enforcement technique, internet freedom advocates are urging Apple to address the issue quickly and publicly.

“Apple’s response to this situation is crucial,” said Benjamin Ismail, campaign and advocacy director of, a group that monitors internet censorship in China. “They should either refute the claim or confirm it and immediately work on securing AirDrop against such vulnerabilities. It’s imperative that Apple is transparent about their response to these developments.”

The Chinese claim has alarmed top US lawmakers. Florida Sen. Marco Rubio, the leading Republican on the Senate Intelligence Committee, called on Apple to act swiftly.

“Anyone using an iPhone should be concerned with the security of Apple’s AirDrop function,” Rubio told CNN. “This breach is just another way for Beijing to target any Apple user it perceives to be an opponent. The time to act is now, and Apple must be held accountable for failing to safeguard its users against such blatant security breaches.”

An Apple spokesperson did not respond to multiple emails and phone calls seeking comment.

A group of Germany-based researchers at the Technical University of Darmstadt, who first discovered the flaws in 2019, told CNN Thursday they had confirmation Apple received their original report at the time but that the company appears not to have acted on the findings. The same group published a proposed fix for the issue in 2021, but Apple appears not to have implemented it, the researchers said.

One of the researchers, Milan Stute, shared an email with CNN showing a representative of Apple’s product security team acknowledging the researchers’ report in 2019.

Precautions ‘not taken’

Chinese authorities claim they exploited the vulnerabilities by collecting some of the basic identifying information that must be transferred between two Apple devices when they use AirDrop — data including device names, email addresses and phone numbers.

Ordinarily, this information is scrambled for privacy reasons. But, according to a separate 2021 analysis of the Darmstadt research by the UK-based cybersecurity firm Sophos, Apple appeared not to have taken the extra precaution of adding bogus data to the mix to further randomize the results — a process known as “salting.”

That apparent failure allowed the Chinese tech firm to more easily reverse-engineer the original information from the encrypted data, in what seems to be “kind of an amateur mistake” by Apple, said Sascha Meinrath, the Palmer chair in telecommunications at Penn State University. “It certainly merits an explanation from Apple since it would point to a serious flaw in their technology.”

While AirDrop’s device-to-device communications channel is typically protected from third-party snooping by its own layer of security, that wouldn’t shield someone who may have been tricked into connecting with a stranger, perhaps by tapping on a deceptively named device in a list of contacts or by thoughtlessly accepting an unsolicited connection request. This step is required for the sender to be identified, according to security experts.

Once the device-identifying information is exchanged and obtained by an unauthorized third party, the lack of salting would make it straightforward to guess at the correct codes that would unscramble the data, the experts said.

The Chinese tech firm, Wangshendongjian Technology, that claimed to have exploited AirDrop appeared to have used some of the same techniques first identified by the Darmstadt researchers in 2019, said Alexander Heinrich, one of the German researchers.

“As far as we know, Apple did not address the issue so far,” Heinrich told CNN.

Kenn White, an independent security researcher specializing in digital forensics, agreed that what Chinese authorities disclosed about their hack is consistent with what the German researchers found.

“On my read, I’d say this is almost certainly using the same techniques that Heinrich et al published,” White said. “Three plus years and this design flaw appears not to have been addressed.”

Apple under pressure

On the heels of the Chinese claim, Sen. Ron Wyden, an Oregon Democrat and a vocal privacy advocate in Congress, blasted Apple over a “blatant failure” to protect its customers.

“Apple has had four years to fix the security hole in AirDrop that put the privacy and safety of its users at risk,” Wyden said in a statement to CNN. “Apple sat on its hands and did nothing, rather than protect human rights activists who depend on iPhones to share messages the Chinese government doesn’t want people to see.”

The tech firm behind the AirDrop exploit has a history of working closely with Chinese law enforcement and security authorities.

Its parent company is the powerful Chinese cybersecurity firm Qi An Xin, according to corporate database Aiqicha. Qi An Xin was hired to protect the Beijing Winter Olympic Games in 2022 from cyberattacks, according to the official Xinhua news agency.

“Time and again, the Chinese government turns to the private sector to augment its technical capabilities,” Dakota Cary, a China-focused consultant at US cybersecurity firm SentinelOne, told CNN. “This is an important reminder of the offensive role that ostensibly defensive Chinese cybersecurity companies can play.”

It is rare, however, for a government actor such as China to publicly disclose its capabilities, suggesting that the intentional reveal this week speaks to some other motive.

“It’s very much in their interests not to spill their techniques,” White said.

One reason Chinese officials may have wanted their exploit known, said Ismail, is that it could scare dissidents away from using AirDrop.

And now that the Beijing authorities have announced it exploited the vulnerability, Apple may face retaliation from Chinese authorities if the tech firm tries to fix the issue, multiple experts said.

China is the largest foreign market for Apple’s products, with sales there representing about a fifth of the company’s total revenue in 2022. Most of its iPhones are produced in Chinese factories, and Apple could face blowback from Beijing if it moves to close off the loophole.

The revelation of the hack could also give China even more leverage to force Apple to cooperate with the country’s security or intelligence demands, said Ismail, because China can argue Apple is already complicit.

“If Apple had fixed it when it was reported in 2019, it would’ve been a challenging technical problem,” said Matthew Green, a cryptography expert and professor at Johns Hopkins University. “Now that Chinese security agencies are exploiting this vulnerability, it’s a tough political problem for Apple.”

The-CNN-Wire™ & © 2024 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.

KSL 5 TV Live

Science & Technology

FILE - A line of unsold 2018 Cooper Clubmen sit in a long row at a Mini dealership, March 30, 2018,...

Wyatte Grantham-Philips, AP Business Writer

Car dealerships are being disrupted by a multi-day outage after cyberattacks on software supplier

Car dealerships across North America have faced a major disruption this week.

2 days ago

In this still image taken from video of the Office of the New York Governor, Gov. Kathy Hochul sign...

Anthony Izaguirre

New York moves to limit ‘addictive’ social media feeds for kids

New York's governor has signed a bill that would allow parents to block their children from getting social media posts suggested by a platform’s algorithm.

3 days ago

FILE: The sun rises behind The Heel Stone at Stonehenge on June 21, 2023 in Wiltshire, England. In ...

Adithi Ramakrishnan, AP Science Writer

It’s summer solstice time. What does that mean?

Summer kicks off in the Northern Hemisphere with the summer solstice on Thursday.

4 days ago

Boeing's Starliner spacecraft...

Jackie Wattles, CNN

Two astronauts wait to come home as Boeing races to understand spacecraft issues. Here’s what’s at stake

Two test pilots helming the inaugural crewed flight of Boeing’s Starliner spacecraft are in a tentative position — and so is Boeing’s reputation in spaceflight.

4 days ago

Utah leaders are reacting to a call from the U.S. surgeon general to include a warning label on soc...

Daniel Woodruff

Utah leaders react to call for warning label on social media platforms

Utah leaders are reacting to a call from the U.S. surgeon general to include a warning label on social media – just like there are on cigarettes.

5 days ago

Scientists have been trying to directly observe dark matter, the elusive and invisible substance th...

Jacopo Prisco, CNN

Scientists may have found an answer to the mystery of dark matter. It involves an unexpected byproduct

Scientists have made many guesses for what dark matter could be, ranging from unknown particles to extra dimensions. Here's what new studies show.

7 days ago

Sponsored Articles

Photo courtesy of Artists of Ballet West...

Ballet West

The rising demand for ballet tickets: why they’re harder to get

Ballet West’s box office is experiencing demand they’ve never seen before, leaving many interested patrons unable to secure tickets they want.

Electrician repairing ceiling fan with lamps indoors...

Lighting Design

Stay cool this summer with ceiling fans

When used correctly, ceiling fans help circulate cool and warm air. They can also help you save on utilities.

Side view at diverse group of children sitting in row at school classroom and using laptops...

PC Laptops

5 internet safety tips for kids

Read these tips about internet safety for kids so that your children can use this tool for learning and discovery in positive ways.

Women hold card for scanning key card to access Photocopier Security system concept...

Les Olson

Why printer security should be top of mind for your business

Connected printers have vulnerable endpoints that are an easy target for cyber thieves. Protect your business with these tips.

Modern chandelier hanging from a white slanted ceiling with windows in the backgruond...

Lighting Design

Light up your home with these top lighting trends for 2024

Check out the latest lighting design trends for 2024 and tips on how you can incorporate them into your home.

Technician woman fixing hardware of desktop computer. Close up....

PC Laptops

Tips for hassle-free computer repairs

Experiencing a glitch in your computer can be frustrating, but with these tips you can have your computer repaired without the stress.

Apple knew AirDrop users could be identified and tracked as early as 2019, researchers say