Article Details

China loathes AirDrop so much it’s publicized an old flaw in Apple’s P2P protocol. Infosec academic suggests Beijing’s warning that iThing owners aren’t anonymous deserves attention outside the great firewall, too. In June 2023 China made a typically bombastic announcement: operators of short-distance ad hoc networks must ensure they run according to proper socialist principles, and ensure all users divulge their real-world identities. The announcement targeted techs like running Wi-Fi hotspots from smartphones and Apple’s AirDrop, as they both allow the operation of peer-to-peer networks that are hard for Beijing to observe. Protestors reportedly used AirDrop to share anti-government material during China’s long and strict COVID-19 lockdowns. China understands that Apple considers AirDrop’s peer-to-peer links are a feature, not a bug. But Chinese netizens know they’re being watched in the name of national security, and many welcome it. Which is why Chinese authorities last week admitted that the use of AirDrop is considered problematic after police previously found inappropriate material being shared on the Beijing subway using the protocol. “Because AirDrop does not require an Internet connection to be delivered, this behavior cannot be effectively monitored through conventional network monitoring methods, which has become a major problem for the public security organs to solve such cases,” states an article posted by the city of Beijing’s municipal government. The piece goes on to describe an assessment by the Beijing Wangshendongjian Forensic Appraisal Institute that found AirDrop’s attempts to anonymize users’ identities is easily circumvented because identifiable information is only hashed and a technique called a “rainbow table” allows access to the relevant information in plain text. Chinese netizens are therefore on notice that their attempts to shire material critical of Beijing can be observed. And those netizens know the consequences of being caught are nasty. Infosec academic Matthew Green analyzed the post, and research on AirDrop published in 2019 by academics from TU Darmstadt, and concluded the protocol is leaky and the Institute’s assertions are entirely plausible – if an Apple ID or phone number can be guessed by an attacker. “The big question in exploiting this vulnerability is whether it’s possible to assemble a complete list of candidate Apple ID emails and phone numbers,” wrote Green, a cryptographer and professor at Johns Hopkins University. I The extent of surveillance in China means gathering candidate info would not be vastly difficult. Green’s post details ways in which actors could create lists of target credentials. AirDrop users are therefore at risk, in China, or anywhere else. Green suggests “a bizarre high-entropy Apple ID that nobody will possibly guess” as one way to protect yourself. “Apple could also reduce their use of logging,” he wrote, before suggesting that Cupertino could easily fix this issue by using a robust version of a cryptographic technique called “Private Set Intersection”. “But this is not necessarily an easy solution, for reasons that are both technical and political,” he observed. “It’s worth noting that Apple almost certainly knew from the get-go that their protocol was vulnerable to these attacks — but even if they didn’t, they were told about these issues back in May 2019 by the Darmstadt folks. It’s now 2024, and Chinese authorities are exploiting it. So clearly it was not an easy fix.” Green then speculated that even if Apple can fix the issue, it might not want to given it earns around 20 percent of its revenue in China, which in 2023 discouraged use of the iPhone by government employees. “Hence there is a legitimate question about whether it’s politically wise for Apple to make a big technical improvement to their AirDrop privacy, right at the moment that the lack of privacy is being viewed as an asset by authorities in China. Even if this attack isn’t really that critical to law enforcement within China, the decision to ‘fix’ it could very well be seen as a slap in the face,” he wrote.