China loathes AirDrop so much it's publicized an old flaw in Apple's P2P protocol
Infosec academic suggests Beijing's warning that iThing owners aren't anonymous deserves attention outside the great firewall too
In June 2023 China made a typically bombastic announcement: operators of short-distance ad hoc networks must ensure they run according to proper socialist principles, and ensure all users divulge their real-world identities.
The announcement targeted techs like running Wi-Fi hotspots from smartphones and Apple's AirDrop, as they both allow the operation of peer-to-peer networks. AirDrop allows users to accept incoming files from unknown parties and was reportedly used to share anti-government material during China's long and strict COVID-19 lockdowns.
China understands that Apple considers AirDrop's peer-to-peer links are a feature, not a bug.
But Chinese netizens know they're always being watched in the name of national security, and many welcome it.
Which is why Chinese authorities last week admitted that the use of AirDrop is considered problematic after police previously found inappropriate material being shared on the Beijing subway using the protocol.
"Because AirDrop does not require an Internet connection to be delivered, this behavior cannot be effectively monitored through conventional network monitoring methods, which has become a major problem for the public security organs to solve such cases," states an article posted by the city of Beijing's municipal government.
The piece goes on to describe an assessment by the Beijing Wangshendongjian Forensic Appraisal Institute that found the techniques Apple uses to anonymize AirDrop users' identities is easily circumvented because identifiable information is only hashed and a technique called a "rainbow table" allows access to the relevant information in plain text.
Chinese netizens are therefore on notice that their attempts to share material critical of Beijing can be observed, meaning the 2023 pronouncement about such networks is now more than a theoretical warning. Netizens now know that AirDrop can lead to nasty consequences.
- China reportedly bans iPhones from more government offices
- China to Meta: Flattery needed to get you into our VR market
- LinkedIn links out of China with 716 roles for the chop
- No 'decoupling' here: Apple, Samsung, and Qualcomm sing China's praises
Infosec academic Matthew Green analyzed the Chinese post, and research on AirDrop published in 2019 by academics from Germany's Technische Universität Darmstadt, and concluded the protocol is leaky and the Chinese Institute's assertions are entirely plausible – if an Apple ID or phone number can be guessed by an attacker.
"The big question in exploiting this vulnerability is whether it's possible to assemble a complete list of candidate Apple ID emails and phone numbers," wrote Green, a cryptographer and professor at Johns Hopkins University. I
The extent of surveillance in China means gathering candidate info would not be vastly difficult. Green's post details ways in which actors could create lists of target credentials.
AirDrop users are therefore at risk, in China, or anywhere else. Green suggests "a bizarre high-entropy Apple ID that nobody will possibly guess" as one way to protect yourself. "Apple could also reduce their use of logging," he wrote, before suggesting that Cupertino could easily fix this issue by using a robust version of a cryptographic technique called "Private Set Intersection."
"But this is not necessarily an easy solution, for reasons that are both technical and political," he observed. "It's worth noting that Apple almost certainly knew from the get-go that their protocol was vulnerable to these attacks — but even if they didn't, they were told about these issues back in May 2019 by the Darmstadt folks. It's now 2024, and Chinese authorities are exploiting it. So clearly it was not an easy fix."
Green then speculated that even if Apple can fix the issue, it might not want to undertake repairs given it earns around 20 percent of its revenue in China. That revenue is already at risk: in 2023 Beijing discouraged use of the iPhone by government employees and suggested buying made-in-China phones as a more patriotic choice.
"Hence there is a legitimate question about whether it's politically wise for Apple to make a big technical improvement to their AirDrop privacy, right at the moment that the lack of privacy is being viewed as an asset by authorities in China. Even if this attack isn't really that critical to law enforcement within China, the decision to 'fix' it could very well be seen as a slap in the face," Green wrote. ®