Paper 2021/893

DEMO: AirCollect: Efficiently Recovering Hashed Phone Numbers Leaked via Apple AirDrop

Alexander Heinrich, Matthias Hollick, Thomas Schneider, Milan Stute, and Christian Weinert

Abstract

Apple's file-sharing service AirDrop leaks phone numbers and email addresses by exchanging vulnerable hash values of the user's own contact identifiers during the authentication handshake with nearby devices. In a paper presented at USENIX Security'21, we theoretically describe two attacks to exploit these vulnerabilities and propose "PrivateDrop" as a privacy-preserving drop-in replacement for Apple's AirDrop protocol based on private set intersection. In this demo, we show how these vulnerabilities are efficiently exploitable via Wi-Fi and physical proximity to a target. Privacy and security implications include the possibility of conducting advanced spear phishing attacks or deploying multiple "collector" devices in order to build databases that map contact identifiers to specific locations. For our proof-of-concept, we leverage a custom rainbow table construction to reverse SHA-256 hashes of phone numbers in a matter of milliseconds. We discuss the trade-off between success rate and storage requirements of the rainbow table and, after following responsible disclosure with Apple, we publish our proof-of-concept implementation as "AirCollect" on GitHub.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Minor revision.ACM WiSec 2021
DOI
10.1145/3448300.3468252
Keywords
Hash ReversalRainbow TablePrivacyAppleAirDropiOSmacOS
Contact author(s)
aheinrich @ seemoo tu-darmstadt de
mhollick @ seemoo tu-darmstadt de
schneider @ encrypto cs tu-darmstadt de
mstute @ seemoo tu-darmstadt de
weinert @ encrypto cs tu-darmstadt de
History
2021-07-05: revised
2021-07-01: received
See all versions
Short URL
https://ia.cr/2021/893
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2021/893,
      author = {Alexander Heinrich and Matthias Hollick and Thomas Schneider and Milan Stute and Christian Weinert},
      title = {DEMO: AirCollect: Efficiently Recovering Hashed Phone Numbers Leaked via Apple AirDrop},
      howpublished = {Cryptology ePrint Archive, Paper 2021/893},
      year = {2021},
      doi = {10.1145/3448300.3468252},
      note = {\url{https://eprint.iacr.org/2021/893}},
      url = {https://eprint.iacr.org/2021/893}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.