By Dan Moren
January 16, 2024 5:43 AM PT
AirDrop security weakness exploited by China
Note: This story has not been updated since 2024.
You might have seen a story making the rounds last week that the Chinese government was cracking down on people sending anti-government materials via Apple’s AirDrop feature, having compromised the security of the system.
I wondered, given the transient nature of these interactions, how exactly that was happening—sometimes these stories can be a bit overblown, especially when entities like the Chinese government—which certainly has a vested interested in looking omniscient—are involved.
But as usual, Ars Technica’s Dan Goodin did an excellent deep dive on this issue and helps explain why, yes, this is a real problem:
In 2021, researchers at Germany’s Technical University of Darmstadt reported that they had devised practical ways to crack what Apple calls the identity hashes used to conceal identities while AirDrop determines if a nearby person is in the contacts of another.
The exploit involves the use of colorfully named rainbow tables and relies at least somewhat on the Chinese government’s ability to pre-hash every single phone number in the country, thus making it trivial to use a given identifier and link it to a person.
But, as Goodin points out, Apple has been aware of this vulnerability since 2019 and despite there being options to improve the anonymity, has not made changes to the privacy of this feature. (Apple’s software also apparently keeps logs of prior AirDrop contacts, which is ripe for exploitation if someone gets hold of the physical device—a fact that some security researchers only learned in the course of this story.) Combined with previous AirDrop changes that had negative effects on dissident activity in the country1 and Apple’s complicated relationship with the Chinese government, it certainly presents an unappetizing picture.
To a certain degree, Apple relies on stories like this staying under the radar. Inaction can be presented as either ignorance or tacit compliance, whereas taking steps to improve the privacy of AirDrop might be construed by Beijing as a challenge to its authority—a stick situation for Apple, given how much it relies upon its relationship with the country for the production of its devices. But Apple also makes privacy a huge selling point of its devices—a subject of ad campaigns, a highlighted section in virtually every keynote—and the company surely doesn’t want to have to append an asterisk to all of those claims with the footnote “Except in China.”
- I still wouldn’t argue that change is a net negative, since it also prevents people from getting spammed with unwanted content, but it was first deployed in China, which certainly merited an eyebrow-raise. ↩
[Dan Moren is the East Coast Bureau Chief of Six Colors, as well as an author, podcaster, and two-time Jeopardy! champion. You can find him on Mastodon at @dmoren@zeppelin.flights or reach him by email at dan@sixcolors.com. His latest novel, the sci-fi spy thriller The Armageddon Protocol, is out now.]
If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.