SCIENCE & TECHNOLOGY

Apple knew AirDrop users could be identified and tracked as early as 2019, researchers say

Jan 12, 2024, 9:59 AM

A still image frame from the Apple NameDrop tutorial in the "Tips" app found on any iPhone. (Apple ...

A still image frame from the Apple NameDrop tutorial in the "Tips" app found on any iPhone. (Apple Tips)

(Apple Tips)

Washington (CNN) — Security researchers warned Apple as early as 2019 about vulnerabilities in its AirDrop wireless sharing function that Chinese authorities claim they recently used to track down users of the feature, the researchers told CNN, in a case that experts say has sweeping implications for global privacy.

The Chinese government’s actions targeting a tool that Apple customers around the world use to share photos and documents — and Apple’s apparent inaction to address the flaws — revive longstanding concerns by US lawmakers and privacy advocates about Apple’s relationship with China and about authoritarian regimes’ ability to twist US tech products to their own ends.

AirDrop lets Apple users who are near each other share files using a proprietary mix of Bluetooth and other wireless connectivity without having to connect to the internet. The sharing feature has been used by pro-democracy activists in Hong Kong and the Chinese government has cracked down on the feature in response.

A Chinese tech firm, Beijing-based Wangshendongjian Technology, was able to compromise AirDrop to identify users on the Beijing subway accused of sharing “inappropriate information,” judicial authorities in Beijing said this week.

Although Chinese officials portrayed the exploit as an effective law enforcement technique, internet freedom advocates are urging Apple to address the issue quickly and publicly.

“Apple’s response to this situation is crucial,” said Benjamin Ismail, campaign and advocacy director of Greatfire.org, a group that monitors internet censorship in China. “They should either refute the claim or confirm it and immediately work on securing AirDrop against such vulnerabilities. It’s imperative that Apple is transparent about their response to these developments.”

The Chinese claim has alarmed top US lawmakers. Florida Sen. Marco Rubio, the leading Republican on the Senate Intelligence Committee, called on Apple to act swiftly.

“Anyone using an iPhone should be concerned with the security of Apple’s AirDrop function,” Rubio told CNN. “This breach is just another way for Beijing to target any Apple user it perceives to be an opponent. The time to act is now, and Apple must be held accountable for failing to safeguard its users against such blatant security breaches.”

An Apple spokesperson did not respond to multiple emails and phone calls seeking comment.

A group of Germany-based researchers at the Technical University of Darmstadt, who first discovered the flaws in 2019, told CNN Thursday they had confirmation Apple received their original report at the time but that the company appears not to have acted on the findings. The same group published a proposed fix for the issue in 2021, but Apple appears not to have implemented it, the researchers said.

One of the researchers, Milan Stute, shared an email with CNN showing a representative of Apple’s product security team acknowledging the researchers’ report in 2019.

Precautions ‘not taken’

Chinese authorities claim they exploited the vulnerabilities by collecting some of the basic identifying information that must be transferred between two Apple devices when they use AirDrop — data including device names, email addresses and phone numbers.

Ordinarily, this information is scrambled for privacy reasons. But, according to a separate 2021 analysis of the Darmstadt research by the UK-based cybersecurity firm Sophos, Apple appeared not to have taken the extra precaution of adding bogus data to the mix to further randomize the results — a process known as “salting.”

That apparent failure allowed the Chinese tech firm to more easily reverse-engineer the original information from the encrypted data, in what seems to be “kind of an amateur mistake” by Apple, said Sascha Meinrath, the Palmer chair in telecommunications at Penn State University. “It certainly merits an explanation from Apple since it would point to a serious flaw in their technology.”

While AirDrop’s device-to-device communications channel is typically protected from third-party snooping by its own layer of security, that wouldn’t shield someone who may have been tricked into connecting with a stranger, perhaps by tapping on a deceptively named device in a list of contacts or by thoughtlessly accepting an unsolicited connection request. This step is required for the sender to be identified, according to security experts.

Once the device-identifying information is exchanged and obtained by an unauthorized third party, the lack of salting would make it straightforward to guess at the correct codes that would unscramble the data, the experts said.

The Chinese tech firm, Wangshendongjian Technology, that claimed to have exploited AirDrop appeared to have used some of the same techniques first identified by the Darmstadt researchers in 2019, said Alexander Heinrich, one of the German researchers.

“As far as we know, Apple did not address the issue so far,” Heinrich told CNN.

Kenn White, an independent security researcher specializing in digital forensics, agreed that what Chinese authorities disclosed about their hack is consistent with what the German researchers found.

“On my read, I’d say this is almost certainly using the same techniques that Heinrich et al published,” White said. “Three plus years and this design flaw appears not to have been addressed.”

Apple under pressure

On the heels of the Chinese claim, Sen. Ron Wyden, an Oregon Democrat and a vocal privacy advocate in Congress, blasted Apple over a “blatant failure” to protect its customers.

“Apple has had four years to fix the security hole in AirDrop that put the privacy and safety of its users at risk,” Wyden said in a statement to CNN. “Apple sat on its hands and did nothing, rather than protect human rights activists who depend on iPhones to share messages the Chinese government doesn’t want people to see.”

The tech firm behind the AirDrop exploit has a history of working closely with Chinese law enforcement and security authorities.

Its parent company is the powerful Chinese cybersecurity firm Qi An Xin, according to corporate database Aiqicha. Qi An Xin was hired to protect the Beijing Winter Olympic Games in 2022 from cyberattacks, according to the official Xinhua news agency.

“Time and again, the Chinese government turns to the private sector to augment its technical capabilities,” Dakota Cary, a China-focused consultant at US cybersecurity firm SentinelOne, told CNN. “This is an important reminder of the offensive role that ostensibly defensive Chinese cybersecurity companies can play.”

It is rare, however, for a government actor such as China to publicly disclose its capabilities, suggesting that the intentional reveal this week speaks to some other motive.

“It’s very much in their interests not to spill their techniques,” White said.

One reason Chinese officials may have wanted their exploit known, said Ismail, is that it could scare dissidents away from using AirDrop.

And now that the Beijing authorities have announced it exploited the vulnerability, Apple may face retaliation from Chinese authorities if the tech firm tries to fix the issue, multiple experts said.

China is the largest foreign market for Apple’s products, with sales there representing about a fifth of the company’s total revenue in 2022. Most of its iPhones are produced in Chinese factories, and Apple could face blowback from Beijing if it moves to close off the loophole.

The revelation of the hack could also give China even more leverage to force Apple to cooperate with the country’s security or intelligence demands, said Ismail, because China can argue Apple is already complicit.

“If Apple had fixed it when it was reported in 2019, it would’ve been a challenging technical problem,” said Matthew Green, a cryptography expert and professor at Johns Hopkins University. “Now that Chinese security agencies are exploiting this vulnerability, it’s a tough political problem for Apple.”


The-CNN-Wire™ & © 2024 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.

KSL 5 TV Live

Science & Technology

A person looking at the NVIDIA Grace Hopper superchip...

Nicole Goodkind, CNN

S&P 500 and Dow hit new highs as Nvidia fervor takes hold of Wall Street

Stocks soared to new highs on Thursday after Nvidia, the third largest company on Wall Street, blew past earnings expectations and bolstered investor optimism on Wall Street.

7 hours ago

This image provided by Intuitive Machines shows its Odysseus lunar lander with the Earth in the bac...

Marcia Dunn, AP Aerospace Writer

Private lander touches down on the moon but sending weak signal

A private lunar lander is circling the moon while aiming for a touchdown near the south pole. A successful landing Thursday would put the U.S. back on the moon's surface for the first time since NASA's famed Apollo moonwalkers, more than 50 years ago.

8 hours ago

FILE: A person scans and downloads an app to start the process of converting their physical driver ...

Michelle Chapman, AP Business Writer

Americans reporting nationwide cellular outages from AT&T, Cricket Wireless and other providers

A number of Americans are dealing with cellular outages on AT&T, Cricket Wireless, Verizon, T-Mobile and other service providers.

16 hours ago

metal container with slides frozen in the bottom...

Laura Ungar, Science Writer

How Alabama court ruling that frozen embryos are children could affect IVF

The Alabama Supreme Court recently ruled that frozen embryos can be considered children under state law. This is raising concerns about how the decision could affect in vitro fertilization, commonly known as IVF.

1 day ago

An Indian Space Research Organisation rocket carrying the Chandrayaan-3 moon lander lifts off from ...

Kristin Fisher and Jackie Wattles, CNN

Why it’s so difficult to land on the moon, even five decades after Apollo

Hundreds of thousands of miles beyond Earth, a phone booth-size spacecraft is en route to take on a challenge no vehicle launched from the United States has attempted in more than 50 years.

1 day ago

Varda capsule reentry drawing...

Collin Leonard, KSL.com

Varda capsule to land in Utah desert in historic first for commercial space programs

A small capsule is set to touchdown in Utah's west desert on Wednesday, bringing with it important data collected in space by a California-based company.

1 day ago

Sponsored Articles

Modern chandelier hanging from a white slanted ceiling with windows in the backgruond...

Lighting Design

Light Up Your Home With These Top Lighting Trends for 2024

Check out the latest lighting design trends for 2024 and tips on how you can incorporate them into your home.

Technician woman fixing hardware of desktop computer. Close up....

PC Laptops

Tips for Hassle-Free Computer Repairs

Experiencing a glitch in your computer can be frustrating, but with these tips you can have your computer repaired without the stress.

Close up of finger on keyboard button with number 11 logo...

PC Laptops

7 Reasons Why You Should Upgrade Your Laptop to Windows 11

Explore the benefits of upgrading to Windows 11 for a smoother, more secure, and feature-packed computing experience.

Stylish room interior with beautiful Christmas tree and decorative fireplace...

Lighting Design

Create a Festive Home with Our Easy-to-Follow Holiday Prep Guide

Get ready for festive celebrations! Discover expert tips to prepare your home for the holidays, creating a warm and welcoming atmosphere for unforgettable moments.

Battery low message on mobile device screen. Internet and technology concept...

PC Laptops

9 Tips to Get More Power Out of Your Laptop Battery

Get more power out of your laptop battery and help it last longer by implementing some of these tips from our guide.

Users display warnings about the use of artificial intelligence (AI), access to malicious software ...

Les Olson

How to Stay Safe from Cybersecurity Threats

Read our tips for reading for how to respond to rising cybersecurity threats in 2023 and beyond to keep yourself and your company safe.

Apple knew AirDrop users could be identified and tracked as early as 2019, researchers say