Saturday, November 16, 2024

China warns of flaws in AirDrop de-anonymization • The Register

Must read


In June 2023, China made a typically bombastic announcement. Operators of short-range ad hoc networks must operate their networks according to sound socialist principles and require all users to reveal their real-world identities.

The announcement targets technologies such as running a Wi-Fi hotspot from a smartphone and Apple’s AirDrop, both of which enable the operation of peer-to-peer networks. AirDrop allows users to accept incoming files from unknown parties and was reportedly used to share anti-government content during China’s long and strict coronavirus lockdown.

China understands that Apple considers AirDrop’s peer-to-peer links to be a feature, not a bug.

However, Chinese netizens are aware that they are constantly being monitored in the name of national security, and many welcome it.

This comes after Chinese authorities said last week that the use of AirDrop is problematic, after police previously found inappropriate content being shared using the AirDrop protocol on the Beijing subway. This is the reason for acknowledging that this is considered to be the case.

“Because AirDrop does not require an internet connection for delivery, this activity cannot be effectively monitored using traditional network monitoring methods, creating a major problem for public safety agencies to resolve such incidents,” the city said. It is stated in the article posted by. Beijing city government.

The article goes on to explain that the technology Apple uses to anonymize the identity of AirDrop users is that the identifiable information is simply hashed, and a technique called “Rainbow Tables” links it to related information. It describes an evaluation by the Beijing Wangshen Dongjian Forensic Medical Appraisal Institute, which found that it can be easily circumvented because access is allowed. Plaintext information.

Therefore, Chinese netizens are attentive to observed attempts to share content critical of Beijing, which means that the 2023 statement on such networks is now more than a theoretical warning. It means something. Netizens now know that AirDrop can have nasty consequences.

Infosec scholar Matthew Green analyzed Chinese posts and a study on AirDrop published in 2019 by academics at Germany’s Darmstadt University of Technology and found that the protocol has been leaked, including Apple ID and phone numbers. If it can be inferred, the China Institute’s claims are entirely plausible. attacker.

“A major issue in exploiting this vulnerability is being able to collect a complete list of candidate Apple ID emails and phone numbers,” wrote Green, a cryptologist and professor at Johns Hopkins University. Masu.I

The scope of surveillance in China means it is not too difficult to collect information on candidates. Green’s post details how attackers create a list of target credentials.

So AirDrop users, whether in China or anywhere else, are at risk. Green suggests “a weird, high-entropy Apple ID that no one can guess” as one of his ways to protect yourself. “Apple could also reduce its use of logging,” he wrote, before going on to say that Cupertino could easily solve this problem by using a robust version of an encryption technique called “private set intersection.” suggested.

“But for technical and political reasons, this is not necessarily an easy solution,” he said. “It’s worth noting that Apple almost certainly knew all along that its protocols were vulnerable to these attacks. But even if it didn’t know, in May 2019 We were informed about these issues by the people of Darmstadt. It’s now 2024 and the Chinese authorities are exploiting that. So it was clearly not a simple fix.”

Green then speculated that even if Apple were able to fix the problem, it might not want to take on the repairs, given that it makes about 20% of its revenue in China. That income is already at risk. In 2023, the Chinese government encouraged government employees to use iPhones and offered them a more patriotic option of purchasing Chinese-made cell phones.

“Thus, there are legitimate questions about whether it is politically wise for Apple to make significant technical improvements to AirDrop privacy. lack of privacy Chinese authorities consider it an asset. “Even though this attack is actually not that significant for China’s domestic law enforcement agencies, the decision to ‘fix’ it is very likely to be seen as a slap in the face,” Green wrote. . ®



Source link

More articles

2 COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article