Three AirDrop vulnerabilities discovered, with Apple working on a full fix
Key Points:
- Security researchers have uncovered three AirDrop vulnerabilities affecting iPhone and Mac, with similar issues also identified in Android’s Quick Share, allowing attackers to crash multiple Apple services remotely.
- An attacker within 10 to 30 meters can exploit these flaws without pairing, contact exchange, or shared networks, targeting devices set to receive from “Everyone” and causing AirDrop, AirPlay, Handoff, Universal Clipboard, and Continuity Camera to become unavailable.
- The attack triggers crashes through a Swift fatalError in the code handling incoming web requests, and repeated requests can sustain the service disruption, though no user data is compromised.
- Security expert Arash Ebrahim notes these vulnerabilities stem from inherent challenges in proximity-based protocols that process attacker-controlled inputs before user authentication, affecting multiple platforms.
- Apple has fixed one of the AirDrop vulnerabilities and assigned it a CVE identifier, while the other two remain under coordinated disclosure with details withheld until patches are released.