You'll never guess who is leaking your Apple iPhone's number and Wi-Fi password13
Someone very close to you and very near and dear to your heart is leaking the number of your Apple iPhone to others. When you find out who this person is, you are going to be so disgusted that you'll want to take this person to the back of the shed and slap them around a few times. Oh, by the way, that person is you. According to security firm Hexway (via Fast Company), those using the AirDrop feature to send photos, contacts and other content to nearby iPhone users are also transmitting their phone numbers to strangers.
Now we should point out that your complete phone number isn't streaming out in a way that anyone can grab it. What is being sent is a couple of bytes of the "hash" of your number everytime you hit share. Hashing is a form of cryptography that takes data and converts it into a unique string of text. Those interested in stealing your number could have all of the hashes of a phone number in a particular region, based on area code. After all, each area code has a limited number of options. But that makes it possible for an attacker to figure out your phone number from just a few bytes of "hash."
Hexway actually has a scenario on video that shows how someone on a subway or near other iPhone users can employ a laptop to capture the "hash" sent by an iPhone user attempting to use AirDrop. The number is figured out using the aforementioned database and the person's name can be discovered using the Truecaller app or from the name of the device (ex. Joe's iPhone). With that information, an iMessage can be sent to the unsuspecting iPhone owner.
AirDrop and Bluetooth LE could be giving away your phone number and Wi-Fi password
Another problem is the Wi-Fi sharing feature that iPhone users have. Tapping on a network, Bluetooth LE will send password requests to other devices using a Wi-Fi network. The other device knows that it is you making the request because of the data being sent out through Bluetooth such as hashes of your phone number, AppleID, and email. Hexway was able to make an unsuspecting iPhone user's phone try to connect to a Wi-Fi network in order to receive the password.
And incoming Bluetooth LE requests can be used by an attacker to disguise themselves as another device, such as a pair of Apple AirPods. Or even more devious, such a request can be used to pretend to be a friend's phone to steal the Wi-Fi password of, say, a corporate account.
To protect yourself, the only thing you can do according to Hexway, is turn off Bluetooth on your iPhone. You might not be able to use AirDrop or some of the other features, but if you want to make sure that what happens on your iPhone stays on your iPhone, you will have to give up some features of convenience.