Security researchers have just uncovered a flaw in Apple AirDrop and Android's Quick Share that could be exploited by hackers from as far as 30 meters (98.4 feet) away. Apparently the severity of these security flaws mean up to five billion active devices could be at risk.
Researchers at the CISPA Helmholtz Center for Information Security uncovered the issues, after taking apart AirDrop and Quick Share to see how Android and iOS deal with wireless transfers. Each transfer system runs as a "highly privileged service in the background" which then wakes up when a second compatible device comes into its vicinity.
This is due to the fact that both systems are designed to run seamlessly, and in the process sacrifice security for convenience. The exploits run differently on each platform, though. They are different protocols, despite recent changes that offer interconnectivity, so that makes a lot of sense.
How the flaws work
For Apple the big takes advantage of the background daemon that has control over AirDrop, AirPlay, Handoff, Continuity Camera and Apple's universal clipboard. A single malformed request can crash the whole system, and should a hacker repeatedly continue making those requests they can lock down all those features and effectively hold your devices hostage.
For Quick Share, researchers tested a connection between the Galaxy S23 Ultra and the Quick Share app on Windows. During this, they were able to uncover logic bypasses that allowed attackers to skip over authentication steps. This means that hackers can force a connection over Quick Share, keep it alive and feed the server attacker-supplied addresses.
Despite the fact that the two protocols don't share any code, the root cause of these security flaws is the same. As researchers put it, "security-critical invariants were not enforced at a single boundary." Essentially, the push to make AirDrop and Quick Share more convenient meant that background processes ended up being exposed to hackers before senders' identity can be verified.
The good news is that these attacks aren't putting your personal data at risk. Instead it allows attackers to deny your ability to use certain features so long as they remain in close-enough proximity. This is more of a nuisance than anything else, though depending on where you are and what you're doing, it might just be enough to ruin your workflow.
What happens next?
Thankfully it doesn't have to be an issue for you. Apple has apparently fixed one of the three bugs uncovered by researchers, while Google has released a fix for the Quick Share client on Windows. All the other fixes are still in some stage of development, but should hopefully arrive fairly soon.
In the meantime, there are things you can do to keep yourself safe. Regardless of whether the fixes roll out or not, it's always a good idea to keep these sorts of features locked down and not accessible to everyone in the immediate area.
iPhone users should head into Settings > General > AirDrop and either turn receiving off or switch it to contacts only. Android users can do the same by heading to Quick Share and setting the Who can share with you option to either contacts or your own devices. Plus, make sure to keep your phone's software fully up to date whenever a new update rolls out to your phone.