In a significant breach of Apple’s privacy measures, a new report says that AirDrop was cracked by the Chinese government, to reveal the phone number and email address of senders.
The anonymity of AirDrop was one of the reasons it has been commonly used by activists to share information about protests, and other information censored by the government …
AirDrop is widely used by anti-government activists
AirDrop is a proprietary encrypted communications tool developed by Apple, and is only intended to share the name of your phone (which you can set to anything you like). Your Apple ID should not be disclosed, nor the contact information associated with it – namely, your phone number and email address.
This security has made it a safe way for anti-government activists to distribute information censored on the Internet. It was, for example, widely used in Hong Kong to pass on the dates, times, and locations of upcoming protests.
While the so-called Great Firewall of China blocks keywords, locations, and dates associated with protests when posted on the Internet, AirDrop is a short-range direct device-to-device protocol, meaning that there is no way for the government to block it.
China forced Apple to make it much less useful
China has long been concerned about the ability of AirDrop to circumvent its censorship, and clearly expressed its concerns to Apple, asking it to take action to prevent this type of use.
Apple responded by introducing a new time-out. To receive documents from strangers via AirDrop, you need to set your iPhone to receive messages from Everyone, instead of Contacts Only. Protestors would keep this setting enabled at all times to facilitate public sharing.
Apple introduced a 10-minute time-out for the Everyone setting; at the end of that time, it would revert to Contacts Only. That made it almost impossible to use AirDrop in this way, as everyone would have to manually re-enable it every 10 minutes. (Somewhat ironically, a lot of iPhone users in other countries said they’d prefer this, so Apple subsequently rolled out the change globally.)
AirDrop cracked by Chinese institute
China planned to go further, introducing a new law to make it illegal to distribute anti-government materials in this way. The law would also force Apple to set iPhone names to the real name of the owner. But it appears the state has found a ‘better’ solution.
Bloomberg reports that a state-backed institute has now cracked AirDrop encryption, revealing the identities of those sending files.
The Beijing institute developed the technique to crack an iPhone’s encrypted device log to identify the numbers and emails of senders who share AirDrop content, the city’s judicial bureau said in an online post. Police have identified multiple suspects via that method, the agency said, without disclosing if anyone was arrested.
“It improves the efficiency and accuracy of case-solving and prevents the spread of inappropriate remarks as well as potential bad influences,” the bureau said.
There’s no indication that the content encryption has been breached, but state authorities would of course be able to accept public AirDrop broadcasts to receive the content, and then match it to the sender.
Usually when one of Apple’s security measures is breached, the company would issue an update to patch it. We’d hope this will happen here, but the Chinese government is likely to apply pressure on the iPhone maker to leave the exploit unpatched – at least, on Chinese devices.
Composite by 9to5Mac using images from Apple and Engin Akyurt/Unsplash
FTC: We use income earning auto affiliate links. More.
Comments