China claims it cracked Apple's AirDrop, can track senders

An organization working with the Chinese government has allegedly cracked the encryption of Apple's AirDrop, a feature used to transfer files between Mac and iOS devices.

According to a statement Monday by the Beijing Municipal Bureau of Justice, the Beijing Wangshendongjian Forensic Appraisal Institute was tasked by the bureau to analyze the device logs of phones submitted for inspection. As a result of this analysis, forensic experts with the institute managed to crack AirDrop encryption that protects the identity of the sender.

"After inspection, it was found that the fields related to the sender's device name, email address, and mobile phone number were recorded in the form of hash values, and some of the hash value fields were hidden," the post, translated by Google Translate, read. "In order to quickly crack this field, the technical team created a detailed 'rainbow table' of mobile phone numbers and email accounts, which can convert the cipher text into original text and quickly lock the sender's mobile phone number and email account."

The bureau claimed such a move was necessary because citizens allegedly reported that their iPhones "received a video with inappropriate remarks in the Beijing subway," and that police found that the suspect used AirDrop to "anonymously spread the inappropriate information in public places."

"Because AirDrop does not require an Internet connection to be delivered, this behavior cannot be effectively monitored through conventional network monitoring methods, which has become a major problem for the public security organs to solve such cases," the bureau said.

The flaw that led to the crack was allegedly reported to Apple in 2019. Thomas Schneider, professor of computer science at German university Technische Universität Darmstadt (TU Darmstadt), wrote on X that the flaw the Beijing Wangshendongjian Forensic Appraisal Institute discovered was reported to Apple by TU Darmstadt researchers in 2019.

Sad to see this exploited now. Our paper contains an efficient protocol & open source implementation to fix this vulnerability via #PSI. We'd be happy to see/help @Apple integrate this. https://t.co/DSNfVnz9Ww @CW31n3r7 @ENCRYPTO_Group @seemoolab @CYSEC_Darmstadt @CS_TUDarmstadt

— Thomas Schneider (@tschneider_DA) January 10, 2024

According to a site dedicated to the initial research, the Beijing institute's exploit relies on "Apple's insecure use of hash functions for 'obfuscating' contact identifiers in the AirDrop protocol execution," which the university discovered -- and came up with an open source fix for -- in 2019.

"In more detail, the forensic experts extract hash values of the senders' contact identifiers that are retained in log files on the receiver devices," the website read. "Then, they apply hash reversal attacks based on rainbow tables (as proposed in our proof of concept) to efficiently obtain the contact identifiers in the clear."

It's unclear if Apple has addressed the AirDrop vulnerability. TechTarget Editorial contacted Apple for comment, but the company has yet to respond.

Matthew Green, a cryptography expert and an associate professor at John Hopkins University, posted on X that Apple fixing the flaw could have political implications between the tech giant and China.

"Using a known flaw (unfixed by Apple since 2019), Chinese state authorities have developed a system to trace the sender of AirDrop files. This was apparently a popular way to evade censorship in China, now it's under threat," he wrote. "I understand and appreciate this was not an easy fix for Apple. Nonetheless: if Apple had fixed this *before* China's security agencies began exploiting it, nobody would have cared. Now pushing a change could have huge political implications re: Apple/China."

While the AirDrop exploit was used by Beijing authorities in criminal matters, it's possible it could be used for cyber espionage purposes as well. Aggressive hacking and intelligence collection has been a persistent issue for the Chinese government. Last year, government security agency heads for the U.S., Canada, the U.K., Australia and New Zealand warned of the "unprecedented threat" posed by Chinese spying, and urged organizations to take steps to protect themselves. For example, a China-based actor known as Storm-0558 compromised Microsoft customer email accounts belonging to U.S. federal agencies via a stolen Microsoft account consumer signing key.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.