Both AirDrop and Quick Share allow you to send photos and files to a nearby device in seconds without needing to connect to a Wi-Fi network, pair with another device, or even create an account. And since Google brought AirDrop support to Android devices, this ease of sharing has become even more useful. This transparency comes from background services that wake up and communicate with nearby devices as soon as they are in range, without the user needing to approve anything. While this is convenient, security researchers at the CISPA Helmholtz Center for Information Security have just shown how this level of trust can actually leave users’ devices open to exploitation.
According to reports (via Help Net Security) on the research, the issues boil down to six potential vulnerabilities that could affect iOS, Android, macOS, and even Windows devices. Three have been related to AirDrop, with the main issue focusing on Sharingd, the daemon that macOS and iOS use to power features like AirPlay, Universal Clipboard, Continuity Camera, and Handoff. The other three are related to Quick Share and the system used by Windows to enable continuity features between Android and PC.
The good news is that each of these vulnerabilities has already been reported to Apple and Google. Additionally, two of the vulnerabilities have already been patched, and the other four are currently being discovered pending official patches. Additionally, you can protect yourself by changing how your device connects to other devices using AirDrop and Quick Share.
How security researchers broke AirDrop and Quick Share
What makes these vulnerabilities particularly troubling is how AirDrop and Quick Share are designed to work. They are supposed to be transparent and to do this, both systems run privileged services in the background that constantly “listen” for incoming data from other devices. This means that these services must collect and process data from unknown sources before requiring any user intervention. Because of how these systems work, researchers note that attackers only need a laptop with Wi-Fi and a location within 10 to 30 meters of any device with Airdrop and Quick Share set to the “Everyone” discovery option.
From there, just issue commands to the services. In the case of AirDrop, the commands essentially create a system overhead, causing the Sharingd process to crash completely. This stops AirDrop, Continuity Camera, and other services running in the background on any affected device. Things are murkier for Quick Share and Windows users because commands issued can bypass security controls due to system design.
Instead of opening with a security key exchange, Quick Share allows three data frames to be read and responded to before the initial security exchange. Subsequently, even if the exchange is stopped, the session keys continue to exist. This allows bad actors to reopen the session because these three original images are sent as unencrypted content. This also affects Windows, creating what researchers call a “use-after-free” error.
How to protect yourself
As noted above, the best news about all of this – besides the fact that companies already know about it and are already working on solutions – is the fact that you can protect yourself and your device from any of these problems. When using AirDrop or Quick Share, you have the option to choose to allow sharing with everyone, only with your contacts, or with no one at all. Setting it to the Nobody setting (it may be named differently depending on the device and system) is a good way to control all incoming connections, as you’ll need to enable AirDrop or Quick Share when you want to use them.
This can be annoying, especially if you plan to share a lot of photos or files with your loved ones, and this is where the Contacts Only option also comes in handy. While walking around with Everyone enabled may seem convenient, it also opens you up to connections with people you don’t know or trust, and with vulnerabilities like these currently active, you’ll want to avoid doing this to protect your device and your privacy. Of course, Apple is working to improve privacy in AirDrop, but it’s always best to be prepared. Because even if none of these elements actually recover data, it is still possible that malicious actors will discover a new vulnerability in the future.
