Apple has an easy transfer feature between users called AirDrop. Unfortunately, AirDrop doesn’t seem very secure and the simple act of opening a share sheet on macOS or iOS is enough to leak a user’s phone number and e-mail address to hackers. AirDrop uses a new technique that uses ad-hoc Wifi and Bluetooth to scan for devices and establish a connection between them. Users have the option of sharing only with their contacts or anyone on Mac or iPhone or not with anyone.
Unfortunately, the flaws security researchers have found don’t even require the use of AirDrop to trigger a leak of personal information. Users only need to start the sharing process which displays the macOS or iOS share sheet. Behind the scenes, AirDrop actually starts scanning the device by broadcasting an encrypted data packet containing the sender’s phone and e-mail address. Its purpose is to check which nearby devices have the sender’s contacts also in order to qualify as
However, the encryption does not appear to be that strong and it is almost too trivial for hackers to carry out brute-force attacks to decrypt numbers and email addresses. Even more worrying, such hackers just have to sit around, waiting for anyone with a Mac, iPhone or iPad to start sharing anything to intercept the data.
These phone numbers and email addresses can then be used for other attacks such as phishing scams. Researchers reportedly disclosed this vulnerability to Apple in 2019 and even provided an open source reference implementation of a more secure alternative.
Quoted from Slash Gears, Monday (26/4/2021), Apple has not replied until now and it may not be trivial to improve an integral part of its macOS and iOS experience.