A security vulnerability in AirDrop has been exploited by a Chinese state institution. The institution stated that they analyzed iPhone device records to create a rainbow table, allowing them to convert secret hash values into texts associated with the phone numbers and email accounts of AirDrop users. According to the institution, this process will assist public safety authorities in identifying criminals who use AirDrop to disseminate illegal content.
It is unknown whether the security vulnerability in the AirDrop protocol had been exploited by a state institution before, but this is not the first discovered vulnerability. In April 2021, German researchers found that the mutual authentication mechanism confirming both the sender and receiver being in each other's address books could be used to expose private information. However, Apple did not address this vulnerability.
As a reminder, Apple restricted the use of AirDrop on devices in China in November 2022 after observing political use by government-opposed activists. AirDrop was limited to only individuals by default, and the option to share with everyone was restricted to 10 minutes. With the release of iOS 16.2, this limitation began to apply to users worldwide.
