Apple knew AirDrop users could be identified and tracked as early as 2019, researchers say
Security researchers have disclosed that they warned Apple about potential vulnerabilities in its AirDrop wireless sharing feature as early as 2019. These vulnerabilities were reportedly exploited by Chinese authorities, sparking concerns about global privacy implications. The Chinese government’s recent use of AirDrop to track down users has raised questions about Apple’s response and its relationship with China.
AirDrop is a popular feature among Apple users that allows them to share files using a proprietary blend of Bluetooth and wireless connectivity when they are in close proximity to each other without the need for an internet connection. It has been utilized by pro-democracy activists in Hong Kong, leading to the Chinese government’s crackdown on the feature.
Beijing-based tech firm Wangshendongjian Technology successfully compromised AirDrop to identify users accused of sharing “inappropriate information” on the Beijing subway, according to judicial authorities in Beijing. While Chinese officials portray this as an effective law enforcement tool, advocates for internet freedom are urging Apple to address the issue promptly and transparently.
Benjamin Ismail, the campaign and advocacy director of Greatfire.org, a group that monitors internet censorship in China, emphasized the importance of Apple’s response. He stated, “Apple’s response to this situation is crucial. They should either refute the claim or confirm it and immediately work on securing AirDrop against such vulnerabilities. Apple must be transparent about their response to these developments.”
This situation has raised concerns among US lawmakers, with Senator Marco Rubio, the leading Republican on the Senate Intelligence Committee, calling on Apple to take swift action. He expressed worry about the security of Apple’s AirDrop function and criticized Apple for not adequately safeguarding its users against potential security breaches.
Despite the researchers’ warning in 2019 and their proposed fix for the issue in 2021, it appears that Apple still needs to address the vulnerabilities. Milan Stute, one of the researchers from Germany-based Technical University of Darmstadt, shared an email confirming that Apple’s product security team had received their original report in 2019 but had yet to act on the findings.
As of now, Apple has yet to respond to multiple requests for comment on the matter. The revelations about AirDrop’s security vulnerabilities and their exploitation by Chinese authorities raise important questions about the intersection of technology, privacy, and international politics.
 Apple Precautions ‘not taken’
Chinese authorities allege that they exploited vulnerabilities by gathering essential identifying information that is normally exchanged between two Apple devices during AirDrop usage. This data includes device names, email addresses, and phone numbers, and it is typically scrambled for privacy protection. However, a separate 2021 analysis conducted by the UK-based cybersecurity firm Sophos revealed that Apple did not take the additional precaution of introducing fake data, a process known as “salting,” to randomize the results further.
This apparent oversight made it easier for the Chinese tech firm to reverse-engineer the original information from the encrypted data, a lapse that Sascha Meinrath, the Palmer chair in telecommunications at Penn State University, described as “kind of an amateur mistake” by Apple. This situation warrants an explanation from Apple as it could indicate a significant flaw in their technology.
While AirDrop’s device-to-device communication channel typically has its security measures to protect against third-party eavesdropping, it does not shield users who may have unwittingly connected with a stranger, such as by tapping on a device with a deceptive name in their contact list or accepting an unsolicited connection request. This connection step is crucial for identifying the sender, according to security experts.
Once unauthorized third parties obtain the exchanged device-identifying information, the absence of salting makes it relatively straightforward to guess the correct codes needed to unscramble the data, according to experts.
Wangshendongjian Technology, the Chinese tech firm claiming to have exploited AirDrop, appeared to employ techniques first identified by the Darmstadt researchers in 2019, as noted by Alexander Heinrich, one of the German researchers.
“To the best of our knowledge, Apple has not yet addressed this issue,” Heinrich informed.
Kenn White, an independent security researcher specializing in digital forensics, concurred that the details disclosed by Chinese authorities align with the findings of the German researchers.
“In my assessment, it is highly likely that the Chinese authorities are using the same techniques that Heinrich et al. published,” White remarked. “Over three years have passed, and this design flaw appears to remain unaddressed.”
Apple under pressure
Following China’s assertion, Senator Ron Wyden, a prominent privacy advocate from Oregon and a member of the Democratic party, strongly criticized Apple for what he termed a “blatant failure” in safeguarding its customers.
In a statement, Wyden expressed, “Apple had ample Time, four years, to rectify the security vulnerability in AirDrop, which jeopardized the privacy and safety of its user base. Instead of taking action, Apple remained inactive, neglecting to protect human rights activists who rely on iPhones to share messages that the Chinese government seeks to suppress.”
The entity responsible for the AirDrop vulnerability has a track record of close collaboration with Chinese law enforcement and security authorities.
According to the corporate database Aiqicha, its parent company is the influential Chinese cybersecurity firm Qi An Xin, which was hired to enhance cybersecurity measures for the 2022 Beijing Winter Olympic Games, as reported by the official Xinhua news agency.
Dakota Cary, a China-focused consultant at the US cybersecurity firm SentinelOne, noted, “Time and again, the Chinese government seeks assistance from the private sector to bolster its technical capabilities. This underscores the significant offensive potential of ostensibly defensive Chinese cybersecurity firms.”
However, it is unusual for a government entity like China to publicly disclose its capabilities, hinting at an underlying motive behind this week’s intentional revelation.
White, an expert in the field, pointed out, “It is very much in their interest to safeguard their techniques.”
One possible reason for China’s decision to make the exploit known, suggested Ismail, could be to deter dissidents from using AirDrop.
With Beijing authorities acknowledging the exploitation of this vulnerability, Apple may encounter reprisals from Chinese authorities if the tech company attempts to address the issue, according to multiple experts.
China constitutes the largest foreign market for Apple’s products, with sales in the country accounting for approximately one-fifth of the company’s total revenue in 2022. Most of Apple’s iPhones are manufactured in Chinese factories, making it vulnerable to repercussions if it moves to close the loophole.
Ismail also noted that the disclosure of the hack could give China additional leverage in compelling Apple to cooperate with the country’s security or intelligence requests, as China can argue that Apple is already complicit.
Matthew Green, a cryptography expert and professor at Johns Hopkins University, remarked, “Had Apple addressed this issue when it was first reported in 2019, it would have been a challenging technical problem. Now that Chinese security agencies are exploiting this vulnerability, it has become a challenging political problem for Apple.”
[collected]