You'll never guess who is leaking your Apple iPhone's number and Wi-Fi password

You'll never guess who is leaking your Apple iPhone's number and Wi-Fi password
Someone very close to you and very near and dear to your heart is leaking the number of your Apple iPhone to others. When you find out who this person is, you are going to be so disgusted that you'll want to take this person to the back of the shed and slap them around a few times. Oh, by the way, that person is you. According to security firm Hexway (via Fast Company), those using the AirDrop feature to send photos, contacts and other content to nearby iPhone users are also transmitting their phone numbers to strangers.

Now we should point out that your complete phone number isn't streaming out in a way that anyone can grab it. What is being sent is a couple of bytes of the "hash" of your number everytime you hit share. Hashing is a form of cryptography that takes data and converts it into a unique string of text. Those interested in stealing your number could have all of the hashes of a phone number in a particular region, based on area code. After all, each area code has a limited number of options. But that makes it possible for an attacker to figure out your phone number from just a few bytes of "hash."

Hexway actually has a scenario on video that shows how someone on a subway or near other iPhone users can employ a laptop to capture the "hash" sent by an iPhone user attempting to use AirDrop. The number is figured out using the aforementioned database and the person's name can be discovered using the Truecaller app or from the name of the device (ex. Joe's iPhone). With that information, an iMessage can be sent to the unsuspecting iPhone owner.

AirDrop and Bluetooth LE could be giving away your phone number and Wi-Fi password


Another problem is the Wi-Fi sharing feature that iPhone users have. Tapping on a network, Bluetooth LE will send password requests to other devices using a Wi-Fi network. The other device knows that it is you making the request because of the data being sent out through Bluetooth such as hashes of your phone number, AppleID, and email. Hexway was able to make an unsuspecting iPhone user's phone try to connect to a Wi-Fi network in order to receive the password.


And incoming Bluetooth LE requests can be used by an attacker to disguise themselves as another device, such as a pair of Apple AirPods. Or even more devious, such a request can be used to pretend to be a friend's phone to steal the Wi-Fi password of, say, a corporate account.

To protect yourself, the only thing you can do according to Hexway, is turn off Bluetooth on your iPhone. You might not be able to use AirDrop or some of the other features, but if you want to make sure that what happens on your iPhone stays on your iPhone, you will have to give up some features of convenience.


FEATURED VIDEO

17 Comments

1. oldskool50 unregistered

Whatever is on your iPhone, stays on your iPhone....hah!!!! I remember when sharing photos by touching phones on Samsung devices was a cool feature. I bet it didn't leak data. Apple has always been terrible at software. The ruined Final Cut Pro. iTunes is worse than the Windows Media Player. QuickTime is the worse video player ever. OSX/NextStep OS, is good on paper as Object Oriented Programming is awesome. Poorly executed in OSX though. Apple....Apple...Apple...

3. adecvat

Posts: 659; Member since: Nov 15, 2013

> I bet it didn't leak data. > android :)

6. sgodsell

Posts: 7605; Member since: Mar 16, 2013

Can you honestly ask yourself why Apple has to send out a users phone number as a hash, when you AirDrop something. That is not needed at all. I actually thought it was the IMEI which is a unique number to every smartphone. In any case Apple doesn't need to send that at all.

7. GeorgeAF

Posts: 90; Member since: Feb 25, 2014

Sounds more like an "Apple" issue than a "You" issue. Something Apple can prevent since Airdrop is a built in feature not something people download before using it. One finger might be pointing at the user but all other four are pointing at Apple

10. adecvat

Posts: 659; Member since: Nov 15, 2013

BLE issue

8. almostdone

Posts: 450; Member since: Sep 25, 2012

Typical iPhoneArena articles instead of pointing finger where the blame should be at Apple. They kiss a** again and blame anything else. This time at the users. What would the world become if people were actually truthful?

11. Ichimoku

Posts: 179; Member since: Nov 18, 2018

if I am not wrong, Bluetooth have a feature called only visible on a paired devices. correct me

14. AlienKiss

Posts: 280; Member since: May 21, 2019

All wireless connections are dangerous to use because it's not that hard to 'catch it from air'. DoS Attacks are the most common practice in combination with USB network drives. A regular phone cannot see other devices that are 'hidden', but with some extra hardware.. anything is possible.

19. lyndon420

Posts: 6897; Member since: Jul 11, 2012

Just another reason why I prefer wired headphones - Bluetooth not needed.

12. kanagadeepan

Posts: 1278; Member since: Jan 24, 2012

So, according to PA, "YOU are sharing it wrong..."

16. KENNE

Posts: 30; Member since: Oct 23, 2014

Did anyone notice that "the vulnerability is a million dollar feature" according to Hexway. What happened with calling a spade a spade. We know all wireless feature have it's flaws... But calling a flaw a FEATURE is what baffles me Mr iPerfect. Gosh..

17. cmdacos

Posts: 4334; Member since: Nov 01, 2016

"Security","Privacy"-all lies but marketing at it's finest...

18. worldpeace

Posts: 3135; Member since: Apr 15, 2016

Of course it's YOU.. The same old Apple : "You use it WRONG"

* Some comments have been hidden, because they don't meet the discussions rules.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless