Don't miss out on CNN's Meanwhile in China newsletter, diving into the country's growing influence and its global impact. In 2019, security researchers alerted Apple about vulnerabilities in its AirDrop function, which Chinese authorities reportedly exploited to track users. This case has significant implications for international privacy, according to experts.
The Chinese government's crackdown on AirDrop, a tool used by Apple customers around the world to share photos and documents, and Apple's lack of action to address the issues, bring back concerns by US lawmakers and privacy advocates about Apple's ties to China and the ability of authoritarian regimes to exploit US tech products for their own purposes.
AirDrop allows Apple users in close proximity to share files using a unique combination of Bluetooth and other wireless technologies without needing an internet connection. This sharing capability has been utilized by pro-democracy activists in Hong Kong, prompting the Chinese government to take action against it.
Beijing-based Wangshendongjian Technology, a Chinese tech company, successfully exploited AirDrop to identify users on the Beijing subway who were accused of sharing "inappropriate information," according to judicial authorities in Beijing this week.
While Chinese officials lauded the exploit as an efficient law enforcement method, advocates for internet freedom are calling on Apple to promptly and openly address the issue.
Benjamin Ismail, campaign and advocacy director of Greatfire.org, emphasizes the importance of Apple's response to the situation. He urges the company to either deny or confirm the Chinese claim and take immediate action to secure AirDrop against vulnerabilities. Transparency from Apple regarding their response is crucial. This Chinese claim has raised concerns among top US lawmakers, such as Florida Sen. Marco Rubio, who has urged Apple to take swift action.
"Anyone with an iPhone should be worried about the security of Apple's AirDrop feature," Rubio stated in an interview with CNN. "This security breach is another tactic used by Beijing to target Apple users they see as opposition. It's time for action, and Apple needs to take responsibility for not protecting its users from such obvious security threats."
Despite multiple emails and phone calls seeking comment, an Apple spokesperson did not respond.
Researchers from the Technical University of Darmstadt in Germany, who identified the flaws in 2019, informed CNN that Apple had been aware of their original report but did not seem to have addressed the issues. Despite the group offering a solution in 2021, Apple has not taken action on it, according to the researchers. Milan Stute, one of the researchers, presented an email to CNN that revealed Apple's product security team had acknowledged their report in 2019.
Precautions not taken
Chinese authorities have allegedly taken advantage of weaknesses in the system by gathering essential identifying data that needs to be exchanged between two Apple devices when using AirDrop, such as device names, email addresses, and phone numbers.
The information is typically scrambled for privacy, however, a 2021 analysis by UK-based cybersecurity firm Sophos revealed that Apple did not add extra precautions like adding bogus data to further randomize the results, a process known as "salting." This apparent oversight made it easier for the Chinese tech firm to reverse-engineer the original information from the encrypted data, which, according to Sascha Meinrath, the Palmer chair in telecommunications at Penn State University, seems to be "kind of an amateur mistake" by Apple. He added that it warrants an explanation from Apple as it may point to a serious flaw in their technology.
Although AirDrops device-to-device communications channel is protected by its own security measures, those who have been lured into connecting with a stranger could be at risk. This step is necessary for the sender to be identified, as noted by security experts. If unauthorized parties obtain the exchanged device-identifying information, the lack of salting would make it easier to guess the correct codes to unscramble the data, the experts explained.
Wangshendongjian Technology, a Chinese tech firm that claimed to have successfully exploited AirDrop, seems to have used techniques that were initially identified by Darmstadt researchers in 2019, according to Alexander Heinrich, a German researcher. "To the best of our knowledge, Apple has not yet acknowledged this issue," Heinrich informed CNN.
Security expert Kenn White, specializing in digital forensics, concurred that the information released by Chinese authorities regarding their hack aligns with the findings of the German researchers. "Based on my analysis, I would confidently say that they are almost certainly utilizing the methods outlined by Heinrich et al," White stated. "It's troubling that this design flaw has gone unaddressed for over three years."
Apple under pressure
On the heels of the Chinese claim, Sen. Ron Wyden, an Oregon Democrat and a vocal privacy advocate in Congress, blasted Apple over a "blatant failure" to protect its customers.
"According to Wyden, Apple has had four years to address the security vulnerability in AirDrop that posed a threat to user privacy and safety. Instead of taking action to protect human rights activists who rely on iPhones to share messages that the Chinese government seeks to suppress, Apple chose to do nothing. The technology company responsible for the AirDrop exploit has a track record of collaborating closely with Chinese law enforcement and security authorities."
The powerful Chinese cybersecurity firm Qi An Xin, the parent company, was tasked with safeguarding the 2022 Beijing Winter Olympic Games from cyberattacks, as stated by corporate database Aiqicha. According to the official Xinhua news agency, this demonstrates how the Chinese government frequently relies on the private sector to enhance its technical abilities. Dakota Cary, a China-focused consultant at US cybersecurity firm SentinelOne, emphasized the offensive capabilities of supposedly defensive Chinese cybersecurity companies.
Rarely does a government actor, like China, publicly disclose its capabilities, making the intentional reveal this week indicative of some other motive, according to White. "It's very much in their favor to keep their techniques confidential," White said.
Content Chinese officials may have wanted their exploit known in order to frighten dissidents away from using AirDrop, according to Ismail. With the Beijing authorities revealing the vulnerability exploit, Apple could face reprisal from Chinese officials if they attempt to address the issue, as several experts have stated.
In 2022, Apple's largest foreign market was China, where approximately 20% of the company's total revenue came from. The majority of iPhones are manufactured in Chinese factories, and if Apple were to close this loophole, it could result in consequences from Beijing. The revelation of the hack could also give China additional leverage to compel Apple to comply with its security and intelligence demands, as China could claim that Apple is already involved. Ismail suggested that this could further complicate the situation.
Matthew Green, a cryptography expert and professor at Johns Hopkins University, stated that had Apple addressed the issue when it was reported in 2019, it would have posed a difficult technical challenge. Now that Chinese security agencies are capitalizing on this vulnerability, it has become a complex political dilemma for Apple.