Recent research has uncovered significant security vulnerabilities in Apple’s AirDrop and Samsung’s Quick Share, two widely used file-sharing features. Conducted by Arash Ale Ebrahim and Nils Ole Tippenhauer from the CISPA Helmholtz Center for Information Security, the study identifies six distinct flaws that could be exploited by attackers within wireless range.
Exploiting Wireless Range Vulnerabilities
With a simple laptop, attackers can exploit these vulnerabilities to crash the sharing services on Macs and iPhones set to accept files from anyone. This attack requires no prior connection or interaction from the target device. Quick Share, on the other hand, shows weaknesses in bypassing session checks, affecting Samsung devices and Google’s Quick Share app for Windows.
The vulnerabilities impact an ecosystem of over five billion Apple and Android devices. However, the research focused on specific implementations and versions, with the findings detailed in a new research paper by the CISPA Helmholtz Center.
Patch Deployments and Ongoing Investigations
Efforts to address these security issues are underway. Apple has patched one of the three identified AirDrop bugs, while Google has rewarded a bounty for the Windows vulnerability and implemented a code fix. Samsung’s issues remain under investigation, with no public exploitation reports yet.
These vulnerabilities, particularly in Apple’s ecosystem, can crash a variety of services, including AirPlay and Handoff, by targeting the ‘sharingd’ background service. The most straightforward attack involves sending malformed requests to devices set to receive from ‘Everyone,’ causing crashes that persist as long as the attack continues.
Local Impact and Security Recommendations
The attack range is limited to local areas, requiring the attacker to be within 10 to 30 meters or on the same local network. Despite this, locations like airports or conferences could see multiple devices affected by a single assailant.
To mitigate risks, users are advised to update their devices with the latest patches. Apple users should limit AirDrop to ‘Contacts Only’ or turn it off, while Quick Share users should disable ‘Everyone’ visibility when not actively receiving files and update their Windows app with Google’s latest fix.
These findings highlight the persistent challenge of securing code that interfaces with networks and underscore the importance of robust initial security measures. As Google rolls out AirDrop interoperability for Quick Share, these vulnerabilities present a timely reminder of the need for vigilance in digital interactions.
