Apple knew AirDrop users could be ID’ed and tracked as early as 2019, but did nothing – researchers

Security researchers warned Apple as early as 2019 about vulnerabilities in its AirDrop wireless sharing function that Chinese authorities claim they recently used to track down users of the feature, and even proposed a way to close the secuirty hole, but the company reportedly did nothing about it.
Sean Lyngaas and Brian Fung for CNN:
‎

The Chinese government’s actions targeting a tool that Apple customers around the world use to share photos and documents — and Apple’s apparent inaction to address the flaws — revive longstanding concerns by US lawmakers and privacy advocates about Apple’s relationship with China and about authoritarian regimes’ ability to twist US tech products to their own ends.
The Chinese claim has alarmed top US lawmakers. Florida Sen. Marco Rubio, the leading Republican on the Senate Intelligence Committee, called on Apple to act swiftly.
“Anyone using an iPhone should be concerned with the security of Apple’s AirDrop function,” Rubio told CNN. “This breach is just another way for Beijing to target any Apple user it perceives to be an opponent. The time to act is now, and Apple must be held accountable for failing to safeguard its users against such blatant security breaches.”
A group of Germany-based researchers at the Technical University of Darmstadt, who first discovered the flaws in 2019, told CNN Thursday they had confirmation Apple received their original report at the time but that the company appears not to have acted on the findings. The same group published a proposed fix for the issue in 2021, but Apple appears not to have implemented it, the researchers said.
One of the researchers, Milan Stute, shared an email with CNN showing a representative of Apple’s product security team acknowledging the researchers’ report in 2019.
According to a separate 2021 analysis of the Darmstadt research by the UK-based cybersecurity firm Sophos, Apple appeared not to have taken the extra precaution of adding bogus data to the mix to further randomize the results — a process known as “salting.”
That apparent failure allowed the Chinese tech firm to more easily reverse-engineer the original information from the encrypted data, in what seems to be “kind of an amateur mistake” by Apple, said Sascha Meinrath, the Palmer chair in telecommunications at Penn State University. “It certainly merits an explanation from Apple since it would point to a serious flaw in their technology.”

‎
MacDailyNews Take: Mistake – or intentional, given Apple’s crippling dependence on China – it’s not a good look for supposedly privacy- and security-focused Apple.
Apple is famously averse to greasing palms in order to get things done. That is laudable, but presents a problem when greasing palms is the only way out of a sticky situation. Luckily, there are respectable, legal ways to grease the required palms. – MacDailyNews, May 13, 2016
See also:
• China claims to have found way to identify AirDrop senders – January 9, 2024
• Is 2024 the year Apple’s crippling dependence on China finally blows up? – January 3, 2024
• Tim Cook firmly latched Apple onto China’s CCP teat. What’s his plan for weaning it off? – November 2, 2022
• Apple CEO Tim Cook signed secret $275+ billion deal with China in 2016 – December 7, 2021
• Why Apple’s $1 billion investment in Didi Chuxing is so weird – June 3, 2016
‎
Please help support MacDailyNews. Click or tap here to support our independent tech blog. Thank you!
Support MacDailyNews at no extra cost to you by using this link to shop at Amazon.

The post Apple knew AirDrop users could be ID’ed and tracked as early as 2019, but did nothing – researchers appeared first on MacDailyNews.