Chinese authorities recently said they’re using an advanced encryption attack to de-anonymize users of AirDrop in an effort to crack down on citizens who use the Apple file-sharing feature to mass-distribute content that’s outlawed in that country.
According to a 2022 report from The New York Times, activists have used AirDrop to distribute scathing critiques of the Communist Party of China to nearby iPhone users in subway trains and stations and other public venues. A document one protester sent in October of that year called General Secretary Xi Jinping a “despotic traitor.” A few months later, with the release of iOS 16.1.1, the AirDrop users in China found that the “everyone” configuration, the setting that makes files available to all other users nearby, automatically reset to the more limited contacts-only setting. Apple has yet to acknowledge the move. Critics continue to see it as a concession Apple CEO Tim Cook made to Chinese authorities.
The rainbow connection
On Monday, eight months after the half-measure was put in place, officials with the local government in Beijing said some people have continued mass-sending illegal content. As a result, the officials said, they were now using an advanced technique publicly disclosed in 2021 to fight back.
“Some people reported that their iPhones received a video with inappropriate remarks in the Beijing subway,” the officials wrote, according to translations. “After preliminary investigation, the police found that the suspect used the AirDrop function of the iPhone to anonymously spread the inappropriate information in public places. Due to the anonymity and difficulty of tracking AirDrop, some netizens have begun to imitate this behavior.”
In response, the authorities said they’ve implemented the technical measures to identify the people mass-distributing the content.
The scant details and the quality of Internet-based translations don’t explicitly describe the technique. All the translations, however, have said it involves the use of what are known as rainbow tables to defeat the technical measures AirDrop uses to obfuscate users’ phone numbers and email addresses.
Rainbow tables were first proposed in 1980 as a means for vastly reducing what at the time was the astronomical amount of computing resources required to crack at-scale hashes, the one-way cryptographic representations used to conceal passwords and other types of sensitive data. Additional refinements made in 2003 made rainbow tables more useful still.
When AirDrop is configured to distribute files only between people who know each other, Apple says, it relies heavily on hashes to conceal the real-world identities of each party until the service determines there’s a match. Specifically, AirDrop broadcasts Bluetooth advertisements that contain a partial cryptographic hash of the sender’s phone number and/or email address.
If any of the truncated hashes match any phone number or email address in the address book of the other device, or if the devices are set to send or receive from everyone, the two devices will engage in a mutual authentication handshake. When the hashes match, the devices exchange the full SHA-256 hashes of the owners’ phone numbers and email addresses. This technique falls under an umbrella term known as private set intersection, often abbreviated as PSI.
In 2021, researchers at Germany’s Technical University of Darmstadt reported that they had devised practical ways to crack what Apple calls the identity hashes used to conceal identities while AirDrop determines if a nearby person is in the contacts of another. One of the researchers’ attack methods relies on rainbow tables.