Five billion iPhones and Android phones are listening for potential file drops via AirDrop and Quick Share, leaving users exposed to nearby hackers who can cause crashes, tamper with active transfers, or, potentially, even run code. Researchers have probed the protocols and disclosed six security flaws.

AirDrop and Quick Share allow nearby attackers to interact with devices without pairing, and these proximity-transfer protocols are deeply ingrained in the privileged layers of the system, all the way down to the kernel. Yet, they remain largely unstudied and undocumented.

Researchers at the CISPA Helmholtz Center for Information Security wanted to change that, so they reverse-engineered the systems from scratch and devised a torture test to see what would break.

It has already netted six security vulnerabilities: three denial-of-service (crash) bugs in AirDrop, two protocol-state manipulation exploits, and one user-after-free bug that could lead to potential RCE in Quick Share.

These bugs affect nearly everyone with a smartphone.

“Apple reports over 2.2 billion active devices running sharingd, and Google reports over 3 billion active Android devices with Quick Share as the default sharing mechanism on Samsung devices and available system-wide on Android,” the research reads.

A potential attacker needs to be approximately 10-30 meters away from the targeted device. However, in densely populated environments, a single hacker can reach hundreds of devices simultaneously. Another asterisk: the AirDrop bugs required the devices to be in the most permissive “Everyone for 10 Minutes” modes.

The vulnerabilities were responsibly disclosed to the vendors, and the fixes are underway.

However, while these flaws may be patched, the exposure remains. The findings suggest that proximity transfer protocols expose “a broad spectrum of bug classes rather than a single dominant failure mode.”

“Both protocols expose pre-authentication attack surfaces from wireless proximity and exhibit insufficient input validation at the application layer,” the study warns.

Bombarding the software with malformed inputs

The researchers first had to reverse-engineer the entire AirDrop protocol without access to its source code. They mapped its internal seven-layer stack, consisting of Bluetooth LE-based discovery, WiFi-based AWDL (Apple Wireless Direct Link) networking, TLS encryption, HTTP transport, encoding, compression, and file packaging.

Then they developed a custom protoloc-avare fuzzer, dubbed AirFuzz – a tool that takes a known valid request (seed), automatically mutates it, and tests for crashes. Their code consists of about 12,000 lines and has been released.

“We discovered two zero-click and one post-accept pre-authentication vulnerabilities in AirDrop,” the researchers said.

The first crash can be triggered with a single HTTP POST request – it immediately kills the sharingd service, which is responsible for AirDrop, AirPlay, Handoff, Universal Clipboard, and Continuity Camera on macOS and iOS.

The second bug can be triggered by a malformed request containing a deeply nested XML property list, which causes a stack overflow during parsing.

“This vulnerability affects not just sharingd, but Foundation.framework itself. Any Apple application that deserializes untrusted XML property lists … is vulnerable. The attack surface spans macOS, iOS, watchOS, tvOS, and visionOS,” the study reads.

The third type of crash abuses intentionally broken web requests that contain duplicate or conflicting headers. Apple’s HTTP/1.1 parser doesn’t reject them, enters an inconsistent state, and attempts to access a non-existent object, resulting in a segmentation fault.

This bug is promising for future research, because a NULL-pointer dereference can sometimes be escalated to code execution.

The researchers also reverse-engineered and analyzed Quick Share implementation on the Samsung Galaxy S23 Ultra, running Android 16 and Windows. They discovered three bugs:

• The device processed certain commands before authentication was complete, allowing an attacker to initiate a Quick Share connection and manipulate the connection process, keeping unwanted sessions alive.
• An on-path attacker on the same WiFi network can inject unencrypted control frames into an active Quick Share transfer, defeating the device-to-device encryption layer.
• Google Quick Share for Windows contains a use-after-free bug, which can be triggered by a race condition. Researchers assessed that it could be developed into a full remote code-execution exploit, and they were awarded a bug bounty.

The researchers also acknowledge that their study was limited and that more bugs might be uncovered in the future.

“Our findings show that proximity protocols are a structural vulnerability class: fatal assertions in network-facing code, missing dispatcher-level authentication and encryption enforcement, and unsynchronized concurrent endpoint management recur across independently developed implementations,“ the study concludes.

---

Unlock more exclusive Cybernews content on YouTube.