Billions of Devices at Risk: Flaws Found in Apple AirDrop and Google/Samsung Quick Share
Researchers have uncovered six vulnerabilities in Apple's AirDrop and Google/Samsung's Quick Share protocols, impacting over five billion devices and potentially exposing sensitive data.
Six critical vulnerabilities have been discovered in the file-sharing protocols used by billions of devices worldwide, specifically Apple's AirDrop and Google/Samsung's Quick Share. These flaws, identified by researchers at the CISPA Helmholtz Center for Information Security, could allow nearby attackers to intercept and read serialized data transmitted between devices, potentially exposing sensitive information without user interaction.
The research, led by Arash Ale Ebrahim and Nils Ole Tippenhauer, marks the first cross-platform analysis of these proximity-based file-sharing mechanisms. By reverse-engineering the application-layer protocols and employing a custom fuzzer, the team uncovered vulnerabilities across macOS, iOS, Android, and Windows, highlighting a significant pre-authentication attack surface inherent in these convenient, yet complex, systems.
On the Apple side, three vulnerabilities were found within the sharingd daemon, which handles AirDrop, AirPlay, Handoff, Universal Clipboard, and Continuity Camera. The most straightforward flaw allows an attacker to crash the entire service with a single malformed request. Another vulnerability lies in Apple's Foundation framework, where an XML property list parser lacks a depth limit, leading to stack exhaustion and crashes. A third bug involves a null pointer dereference in the system's HTTP parser, triggered by specially crafted headers.
For Google and Samsung's Quick Share, the researchers identified bypasses that allow an attacker to advance the connection state machine before proper authentication or encryption takes place. In one instance, the Samsung implementation dispatches application frames immediately after the connection request, before the critical UKEY2 key exchange. Even after the key exchange, three frame types could still be processed unencrypted by an on-path attacker.
The Windows client for Quick Share exhibited a memory corruption bug, specifically a use-after-free vulnerability. This occurs when two connections collide on the same endpoint identifier and nonce, leading to an object being freed and then accessed by another thread. While a crash was confirmed, a fully working exploit was not developed, though Google did award a bounty for the discovery.
A common thread links these disparate vulnerabilities: both systems, despite different implementations, grapple with the challenge of processing complex, attacker-controlled inputs from nearby devices before full authentication or user approval. Apple's centralized locking mechanism led to reliability code being exposed, while Google and Samsung's multi-threaded approach resulted in concurrency issues and gaps in security checks within individual frame handlers.
These findings underscore the inherent security challenges in designing seamless proximity-based communication. The need for user convenience often necessitates privileged background services that must process potentially malicious data early in the connection process, creating a broad attack surface. The researchers noted that the convergence of similar weakness classes in separate codebases highlights fundamental architectural challenges in this domain.
Patches for these vulnerabilities are reportedly being rolled out. Users of Apple devices running recent versions of macOS and iOS, as well as Android devices utilizing Quick Share, are advised to ensure their systems are updated to the latest available software versions to mitigate these risks.