Cryptology ePrint Archive: Report 2021/893

DEMO: AirCollect: Efficiently Recovering Hashed Phone Numbers Leaked via Apple AirDrop

Alexander Heinrich and Matthias Hollick and Thomas Schneider and Milan Stute and Christian Weinert

Abstract: Apple's file-sharing service AirDrop leaks phone numbers and email addresses by exchanging vulnerable hash values of the user's own contact identifiers during the authentication handshake with nearby devices. In a paper presented at USENIX Security'21, we theoretically describe two attacks to exploit these vulnerabilities and propose "PrivateDrop" as a privacy-preserving drop-in replacement for Apple's AirDrop protocol based on private set intersection.

In this demo, we show how these vulnerabilities are efficiently exploitable via Wi-Fi and physical proximity to a target. Privacy and security implications include the possibility of conducting advanced spear phishing attacks or deploying multiple "collector" devices in order to build databases that map contact identifiers to specific locations. For our proof-of-concept, we leverage a custom rainbow table construction to reverse SHA-256 hashes of phone numbers in a matter of milliseconds. We discuss the trade-off between success rate and storage requirements of the rainbow table and, after following responsible disclosure with Apple, we publish our proof-of-concept implementation as "AirCollect" on GitHub.

Category / Keywords: cryptographic protocols / Hash Reversal, Rainbow Table, Privacy, Apple, AirDrop, iOS, macOS

Original Publication (with minor differences): ACM WiSec 2021

Date: received 29 Jun 2021, last revised 5 Jul 2021

Contact author: aheinrich at seemoo tu-darmstadt de, mhollick at seemoo tu-darmstadt de, schneider at encrypto cs tu-darmstadt de, mstute at seemoo tu-darmstadt de, weinert at encrypto cs tu-darmstadt de

Available format(s): PDF | BibTeX Citation

Version: 20210705:085713 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]