As far as I know, dissidents would hang around major population area (i.e, subway station) and allow for anonymous users to connect to them to transfer files. This security issue would allow the Chinese government to track them.
However, also as far as I know...although VPNs are banned in China, there are ways to get them. I'd wonder how much do dissidents use Airdrop in this manner if they can access the global Internet anonymously. Given mass surveillance in China, I'm sure the Chinese government can track "oh this airdrop sender appears every time this person is in this station".
I also hope that Apple adopts an open source protocol for AirDrop not just for cross platform compatibility, but auditable security. Android has its own "Nearby Share". If Apple doesn't want to get in trouble for "fixing" this, they can easily adopt a cross platform compatible protocol that just happens to also fix this.
Is this sort of sharing big enough to warrant dedicated and open-source devices just to do this? A sort-of glorified USB Drive with a sharing protocol and nothing else. You walk around and it just syncs up with things around you. Something that looks like an original iPod with a screen and folders of files.
I don't know anything about the AirDrop or NearbyShare protocols, but I wonder if they can be implemented in such a device?
All the recently announced dedicated AI devices make me think people might be into it.
If you haven’t seen it before you might find the pirate box interesting. No longer exists and definitely a relic of the era of piracy/crypto from a decade+ back.
This would be a really cool way to secretly do intel "dead-drops" where you just need to walk by a certain place at a certain time to receive your dead-drop/
Way longer than that too. Transmitting encrypted data packets over radio waves was a thing during the cold war. Tune in to a certain frequency at a certain time, of course you must be in range too, record the packet then go back and decrypt it.
Having said that there isn’t really anything special about this particular technique of using numbers stations. It’s just a part of the same trick to pass along information via an open channel without having to give away what the message is about or who the intended audience is supposed to be.
Taking out an ad in the classifieds section of a newspaper is ultimately the same trick just with a much lower bandwidth to transmit anything useful beyond a simple signal.
This would be great, and I'd be really happy to see it.
One (definitely not insurmountable) problem that would exist in such a federated and open system is credential authentication:
Currently, Apple signs your email address and phone number (hash) so that you can't impersonate somebody's trusted contacts and send unwanted material to them without their consent, which has been a problem for Apple in the past. That's supposedly also why they have removed the "allow all AirDrop senders" option in favor of one that times out after 10 minutes.
There would either have to be a federated alternative to that, or the open source system would have to drop sender authentication; then you could only receive AirDrops while your device is in "allow all senders" mode.
The reason there's anything in the airdrop protocol that can be converted to a person is to allow your device to say who is sending it if you know their identity already, and/or to filter the messages if you don't.
The whole point of this activity was that people did not care, nor want to care, about who was sending payloads. In such an environment the solution is no identity at all, not federation of identity.
If you do try to do this simply because of "federation", all china does it use the same federation system to get the user information (because the whole point here is china was monitoring local bluetooth info, so some nebulous application of federation dust doesn't magically resolve anything).
The problem here is that people were using a system is not anonymous by design (there is a deterministic relationship between the underlying account and the hash by published design), and that relationship is necessary for basic functionality.
A hindsight being 50/50 step could have been to use a password hashing function, but airdrop has existed long enough at this point for me to assume that the iterative systems would have relatively low iteration counts, and mobile hardware probably can't afford the resources to make every airdrop also perform memory bounding steps.
I'm not saying that federation solves the anonymity problem, I'm just saying that the current implementation includes Apple as a trust anchor for email address and phone number verification and issuance of corresponding certificates. My point is that in order to enable an open cross-platform solution, there would have to be some alternative mechanism to that.
What they could add is a sender-side option that makes sending completely anonymously. This would be possible without any change on the receiver side, but would require recipients to enable "allow all senders" mode.
Fundamentally this verification is based on your contact list, which is formed from people you already know and have added to your contacts, so there's not really any need for a centralized trust. Presumably you trust the e-mail address of the contact you added, and the federation protocol could easily define how the authoritative hash/key for each user would be shared based on their e-mail.
In most cases this could also be resolved at first contact in meatspace, directly between the devices when establishing contact via the typical ways users share contact information - QR code or some form of short range networking, or even with an SMS challenge.
Really? It doesn't seem to me like it gets any more trivial than 'hit DNS for the domain to find federation server, send a GET request' to me. You could even do the whole thing with DNS, though that has privacy implications. What am I missing?
At Yahoo we built a thing called "meatspace" that would do this with wifi MAC addresses but legal stopped it as you could identify people and their locations back in time as soon as you associated them. Some other companies did this for retail tracking. That caused apple to periodically change the MAC address.
> I also hope that Apple adopts an open source protocol for AirDrop not just for cross platform compatibility
There was a user who pitched the idea of an airdrop like thing to Signal awhile back, specifically stating that it could be used for organization, but it didn't seem to get much traction and looks like they got in a little scuffle with the mods. Sounds like it would be a useful thing given the other security around Signal and the fact that it is cross platform.
UU Booster, which is the service I currently use for gaming is operated by NetEase, which is a giant in the Chinese online gaming space. It's fully legal, no issues whatsoever.
Also you can get roaming SIM cards or even eSIMs, which connect to APNs overseas.
You can also get Alibaba Cloud private networking connection between a region inside of China and a region outside. They use private lines so there's no GFW involved. My understanding is that you need an international real name verified account to do this, but after that you basically have an uncensored line that's also much more stable than connections that have to go through the GFW. I know of a US company that uses this to connect their Chinese workers to their central office, and again it's fully legal once you get an ICP license.
Yeah maybe, but people give the CCP way more credit than is due. They are a much more hands on and brutalist group than technocratic overlords. Many of their initiatives sound powerful and wizardly but most are implemented poorly if at all. At the end of the day they are almost entirely reliant on a monopolistic hierarchy of physical violence and in person observations.
Yeah - the CCP is getting good at online Social PR.
Especially from what they have been learning about generating viral from tiktok (the ADHD Dopamine Addicts in the growing adolescent brain is a gold mine)....
But one interesting thing I noticed on tiktok and reddit r/artisanvideos and others for example - is these agrarian-crafty-chipster videos.
Like the soft music, the beautiful landscapes, the cute dog in the background and all the nice, clean village-esque looking surrounding as some master craftsman makes bamboo mats, or tofu, or paper etc...
They look highly polished PR videos that one might see at an amusement park showing the "simple but accomplished life in china - look how elegantly crafty these simple folk are"
--
However - that doesn't mean they aren't making incredibly authoritarian tools disguised as benefits for society. and AI will engulf their tool set and accelerate. Just make sure to leave some bread, circuses and sex to distract the frogs from the temp in the cauldron.
> This security issue would allow the Chinese government to track them
Thank god that only the Chinese do it. Imagine what the reaction will be if someone finds out that the US or the Canadian or the UK government does it. /s
> While AirDrop’s device-to-device communications channel is typically protected from third-party snooping by its own layer of security, that wouldn’t shield someone who may have been tricked into connecting with a stranger, perhaps by tapping on a deceptively named device in a list of contacts or by thoughtlessly accepting an unsolicited connection request. This step is required for the sender to be identified, according to security experts.
Apple already acted on this, didn’t they? AirDrop now defaults to off and you can only switch it on for ten minutes at a time – you can’t forget to switch it off again. When Apple implemented this change, I remember that they were criticised because people said they were doing what China wanted by cracking down on P2P communication. Now it’s the opposite situation but the same criticism.
I believe what they changed is the ability for "everyone" to discover you to a 10 minute toggle. It defaults to always being discoverable to your contacts.
I assume that it still broadcasts your hashes even in the contacts-only mode, so you'd need to turn receiving off to stop that. Or go a step further and disable Bluetooth entirely* when you don't need it.
* If you disable Bluetooth in the Control Center pulldown it won't actually disable Bluetooth or beacons. It just won't connect to devices. You need to go into Settings to actually disable Bluetooth.
Your phone isn't passively broadcasting hashes if it's just an AirDrop receiver no matter what mode it's in. This vuln only poses a privacy risk for those sending AirDrops.
I understand why they put it on a 10 minute time-out, but it still makes me slightly sad. Sending (or receiving!) goofy cat pics on the subway had its own kind of charm.
Even before the discovery phase (which is where this issue sits), the two devices apparently create a TLS tunnel with both client and server certificates, signed by Apple and containing UUIDs linked to the device and Apple ID [0].
I have no idea if/where/how these certs are used elsewhere, but this seems like another avenue of identification and tracking even if it doesn't directly expose the phone number or email address. I'm pondering early IMSI catchers didn't expose the MSISDN, but enough listeners in various places seeing the same IMSI sure helped for correlation. Does anyone know of any writeups on Apple's internal (device) CA infrastructure?
>Even before the discovery phase (which is where this issue sits), the two devices apparently create a TLS tunnel with both client and server certificates, signed by Apple and containing UUIDs linked to the device and Apple ID [0].
From the abstract
>We propose a novel optimized PSI-based protocol called PrivateDrop that addresses the specific challenges of offline resource-constrained operation and integrates seamlessly into the current AirDrop protocol stack
Is section 2.4 how it works today, or what they're proposing for the future?
2.4 seems to be part of the description of the current specification, where as their PrivateDrop suggestion doesn't come in until part 4. Even if a different PSI is used it's still (I believe) happening over the TLS connection so it wouldn't fully eliminate the fingerprinting.
If you are an engg in a big company you could just email the relevant mailing list / slack channel. And somebody highly knowledgeable will tell you a lot of what you need to know .
A couple billion hashes (emails) is nothing, these days. One could just continuously recompute hashes for all known (or expected) emails and phone numbers. In case of governments, they can just include emails/numbers of personae non grata - a trivially small list.
Why would any sane person allow accepting connections like this from any device? I don't even want to allow anyone from my contacts blindly just because I have saved their phone number. That isn't an automatic "I trust this person implicitly" flag.
Clearly, I'm of "a certain age" where I don't blindly trust anyone for anything. It's amazing how quickly the concept of trust has been tossed aside from tech
The first step is a device lookup with "Bonjour", which allows devices to ping each other an see who's who. Any network device since the 1980s pretty much does this by default unless you disable it. Remember Netbios?
The second step, is Airdrop requesting a device to accept a connection.
At that point, you see who is sending you the send request, and you can accept/deny. Airdrop is also disabled by default from unknown senders since a dude sent a dick pick on an airplane. Your Apple device will only accept connections from known contacts by default, and you can override that setting to allow connections from anyone.
You can disable this behaviour in Settings by blocking Airdrop.
From the article:
> While AirDrop’s device-to-device communications channel is typically protected from third-party snooping by its own layer of security, that wouldn’t shield someone who may have been tricked into connecting with a stranger, perhaps by tapping on a deceptively named device in a list of contacts or by thoughtlessly accepting an unsolicited connection request. This step is required for the sender to be identified, according to security experts.
> The second step, is Airdrop requesting a device to accept a connection.
> At that point, you see who is sending you the send request, and you can accept/deny.
Revealing the identity hash must happen earlier than that, since the entire point of the "only contacts" feature is that you can't even see non-contacts on your AirDrop share sheet.
And since Apple (correctly, in my view) didn't want receiving devices to publicly broadcast their identities (or even worse the set of acceptable senders), it's on the sender to initially broadcast their identity to all devices within range.
The candidate devices (i.e. those that have the sender in their contacts) then respond and get populated in the share sheet target list.
What's potentially surprising is that this must happen even before selecting AirDrop as a share target, since (at least on my device) I can already see nearby AirDrop contacts in the "frequently contacted" part of the general share sheet...
The sender device broadcasts their identity, while the receiving devices will follow the Airdrop settings. When in contacts only and/or disabled, your device will not broadcast your personal identity in the clear.
Your device itself broadcasts its presence through various protocols.
This is a follow-up to the NetBIOS protocol that did the same (Windows shares is another example).
> Why would any sane person allow accepting connections like this from any device? I don't even want to allow anyone from my contacts blindly just because I have saved their phone number. That isn't an automatic "I trust this person implicitly" flag.
How is this any different than your phone accepting random MMS, imessages, or phone calls from any random phone number?
I assume my number was somehow leaked. While the search space is not prohibitively big for an exhaustive search, I don't think it's a common thing to do since I don't get nearly enough robocalls or messages to assume that.
As far as I understand the "vulnerability" (it's really AirDrop working as publicly documented), it happens when you attempt to share content, not when you're visible for receiving content.
If a company creates a back door for a government in a way that it looks like an oopsie vulnerability, it gives them plausible deniability. If someone reports the vuln and they don't fix it, this somewhat shatters the plausible deniability.
Operation triangulation https://securelist.com/operation-triangulation-the-last-hard... revealed the use of four different vulnerabilities, hidden code and undocumented features to take over Iphones. Its sophistication points to an APT. Apple did not deny helping the attacker TMK.
I can imagine many non-malicious alternative explanations for Apple not commenting on that particular vulnerability. For example, doing that here opens the door to a future in which every non-denial is seen as implicit admission of collaboration.
It's also possible that Apple themselves was compromised: It's a large company, and other types of leaks do happen.
I'd focus much more on the things Apple very publicly does not do, such as in this case not using private set intersection for AirDrop.
The best vulnerability is the one you don't even have to defend, because it's just the absence of a more secure (but also more complicated) alternative. There are countless historical examples of that: Unencrypted instant messaging, non-end-to-end encrypted cloud storage etc.
The idea that Apple needs to create backdoors for governments seems absurd when you consider that any competent government will have essentially unfettered access to Radar, i.e. a firehose of almost every security bug discovered by Apple or reported to it.
> Then AirDrop got a new feature called NameDrop, on by default, where phones near each other play an animation and display a button to send your Contact Card to the other (single press, no confirmation). There’s no documentation of what info is shared this way, and it’s not delineated on the Contact Card in the Contacts app.
You really shouldn’t get your information from Facebook posts. The post you linked even correctly describes the process: the phones need to be VERY “near each other” (almost touching) and – contra “no documentation” – you select which fields are shared and can view or change the fields before hitting the button to share them.
I got info from the linked page. If it wasn’t clear from the end of the post, I’m not really a fan of Facebook. Thanks for pointing out the sentence I missed. It really doesn’t match my mental model where information that’s put in on a single contact is shared together as with contact exports, so I missed that as I read. Still unfortunate to see Apple compiling personal info together like this.
The Contact Card integration I described is bringing together information that used to be fragmented across ios apps. I don’t think it’s good to make it easier to use and share personal info.
Helping you use your own data on your own device isn’t a problem. Sharing it could be a concern but what we’re usually worried about is when that is done without your knowledge or consent. In this case, the user has to initiate the action, is fully informed, and can control what is shared. This is very far from what Facebook does.
Unfortunately, making it easier to use the data makes it easier to use the data. It changes the ecosystem and the default expectations.
For an ios example, location sharing is optional but the expectation is becoming that it’s used: https://www.vox.com/culture/23742552/location-sharing-iphone... I was really surprised by this article because I couldn’t imagine this kind of 24/7 surveillance of friends and family. I’ve asked around and it’s becoming the expectation in romantic relationships, and it’s uncommon but not surprising in friendships.
For an offline example, the standardized barcodes on the back of US driver’s licenses are changing how businesses use them. Liquor stores and bars used to briefly use them to check age. The last few years I’ve seen an increasing number that scan the barcode to collect the info. I’ve also visited two gyms and a shipping service that wanted to scan IDs, which is a request I never saw before the REAL ID Act made it easy to collect the data. If you think it’ll stay optional, try to take a US flight without a READ ID-compliant ID, open a US bank account without a social security number, or cross an international border without a passport. Today’s optional is tomorrow’s mandatory.
Compiling personal info from the different apps and making it easy to share is inherently a problem because making that easy changes the expectation and organizations start demanding it. When NameDrop interoperates between ios, Android, and POS systems it’ll become a standard expectation in business interactions. To give two plausible changes where I expect it to quickly become expected: getting in a queue for a table at a busy restaurant, and retail sales predicating refunds or support on it. It’ll be a cheap, minor benefit for the businesses and users have it on and filled in by default. For another example, a half-dozen businesses near me don’t accept cash - you have to use a form of payment that gives up at least your name to the store if you want to buy a donut, have your hair cut, or park your car. None of those services should require personally identifying information, but now it’s mandatory.
I’d like to see ubiquitous data collection put off as long as possible, include little data by default, and not include durable, correlateable identifiers like phone numbers and national ID numbers. That’s not hyperbole about a mustache-twirling dystopian intrusion, it’s one more small integration for NameDrop that’ll start out optional: https://support.apple.com/en-us/HT212940
Some day I'd like to use an LLM to read every user's comments on websites like this and automatically tag the users that fell for similar fake stories. That way I can avoid wasting time researching their claims
> Is it an unfixed exploit when Apple knowingly left it as is for whatever reason?
Danger Will Robinson ö
“AirDrop uses iCloud services to help users authenticate. When a user signs in to iCloud, a 2048-bit RSA identity is stored on the device, and when the user turns on AirDrop, an AirDrop short identity hash is created based on the email addresses and phone numbers associated with the user’s Apple ID.”
Why doesn’t it store a shared secret based on some information from both parties once a contact has been mutually agreed to be shared… then you can quickly do a verification without any interception from outside sources or any information leaking
It can't be mutual because the receivers don't broadcast, so the sender doesn't know which contacts are in range.
I was also thinking you might be able to use asymmetric crypto for this, and encrypt the hash + a nonce using your private key, and anyone with your public key can decrypt it and check the hash against the contact list. But this means the potential receiver needs to decrypt with every public key it knows, which for large contact lists might be prohibitively expensive.
Someone has probably devised a more clever way, though.
That would unfortunately make for behavior inconsistent with the way AirDrop works today. You might have to become “visible to everyone” randomly on a new device, for example.
Not insurmountable, but it would probably be quite un-Apple-like.
However, also as far as I know...although VPNs are banned in China, there are ways to get them. I'd wonder how much do dissidents use Airdrop in this manner if they can access the global Internet anonymously. Given mass surveillance in China, I'm sure the Chinese government can track "oh this airdrop sender appears every time this person is in this station".
I also hope that Apple adopts an open source protocol for AirDrop not just for cross platform compatibility, but auditable security. Android has its own "Nearby Share". If Apple doesn't want to get in trouble for "fixing" this, they can easily adopt a cross platform compatible protocol that just happens to also fix this.