China flag with 0s and 1s

A Chinese state-backed research institute claims to have discovered how to decrypt device logs for Apple's AirDrop feature, allowing the government to identify phone numbers or email addresses of those who shared content.

China has a long history of censoring its people, requesting Apple block access to mobile apps, blocking encrypted messaging apps, such as Signal, and creating the Great Firewall of China to control what sites can be visited in the country.

To get around censorship in the country, people turned to Apple's AirDrop feature, which doesn't require cellular service and uses Bluetooth and a private Wi-Fi network to send images and photos between devices.

During the 2019 pro-democracy protests in Hong Kong, protesters frequently used AirDrop to share pamphlets and posters. In 2022, the New York Times reported that Chinese protestors again turned to AirDrop to spread awareness of protests and anti-Xi messages.

Soon after, Apple released iOS 16.1.1, which limited the ability to receive AirDropped images from “Everyone” to only 10 minutes for phones sold in China.

At the time, it was believed this feature was added to prevent it from being used by Chinese protestors. This change has since been applied to all iOS devices, regardless of their geographic region.

Cracking AirDrop

Today, Bloomberg first reported that China's Beijing Wangshendongjian Judicial Appraisal Institute has discovered a way to extract the phone numbers, email addresses, and device names of those who sent and received an AirDropped image from device logs.

The institute says that they conducted this research after Apple AirDrop was used to send "inappropriate" comments in the Beijing subway.

"After preliminary investigation, the police found that the suspect used the AirDrop function of the iPhone to anonymously spread the inappropriate information in public places," reads an announcement by the Chinese government.

"Due to the anonymity and difficulty of tracking AirDrop, some netizens have begun to imitate this behavior. Therefore, it is necessary to find the sending source and determine its identity as soon as possible to avoid negative impacts."

The research institute says the sender's device name, email address, and mobile phone number are hashed in the iOS device logs.

Using rainbow tables, the researchers claim to have been able to dehash these fields to gain access to the sender's information.

China says they have already used this forensics ability to "identify multiple suspects involved in the case."

Related Articles:

US govt officials’ communications compromised in recent telecom hack

New ShrinkLocker ransomware decryptor recovers BitLocker password

North Korean hackers create Flutter apps to bypass macOS security

iPhones now auto-restart to block access to encrypted data after long idle times

Hackers increasingly use Winos4.0 post-exploitation kit in attacks