Researchers have identified six security vulnerabilities affecting Apple's AirDrop and the Quick Share feature used by Google and Samsung. The flaws, disclosed in a report by The Hacker News, allow an attacker within physical wireless range to crash receiving services on iPhones, Macs, and Android devices with minimal effort and no prior user interaction.
The vulnerabilities impact the initial connection handshake processes across the protocols. An attacker using only a laptop can target devices set to receive from "Everyone," exploiting a core design flaw that equates physical proximity with trust. The attacks require no prior pairing, no pop-up acceptance from the victim, and no specific app interaction, making them highly stealthy.
The research uncovered multiple attack vectors. One class of flaw causes a denial-of-service condition, effectively crashing the sharing service on the target device. More critically, other vulnerabilities enable bypasses of privacy controls, such as the "Contacts Only" setting, and allow for the manipulation of file metadata. The findings also revealed specific session bypass vulnerabilities in Samsung's implementation and a separate bug affecting Google's Quick Share for Windows, which has since been patched.
The impact is amplified by the ubiquity of these features in daily life. An attacker could deploy these exploits in crowded public spaces like airports, cafés, or transit stations, where devices are often set to discoverable modes for convenience. The silent, prompt-free nature of the attacks can cause significant disruption.
Both Apple and Google have responded with silent updates—Apple through iOS and macOS patches, and Google via Google Play Services and a Windows client update. However, the lack of prominent public advisories or detailed user guidance highlights a communication gap. Users remain uninformed about critical fixes to core, always-on features they rely on regularly.
This incident underscores a broader architectural challenge. The researchers suggest a necessary re-evaluation of security models for "tap-free" sharing. Future protocol designs must move away from implicit trust based on proximity and instead incorporate stronger, authenticated verification steps during the connection handshake, even if it introduces minor user friction as a security trade-off.
For users and IT administrators, the immediate priority is ensuring all devices are updated to the latest OS versions. As a precautionary measure in high-risk public environments, it is advisable to set AirDrop and Quick Share to more restrictive modes, such as "Contacts Only" or "Off," to limit the attack surface. The findings serve as a clear reminder that convenience features built for seamless interaction can create unforeseen security liabilities.
研究人員發現了六項影響蘋果AirDrop及谷歌和三星所採用的Quick Share功能的安全漏洞。根據The Hacker News的報告,身處實際無線訊號範圍內的攻擊者,能以極小代價且無需用戶先前互動,癱瘓iPhone、Mac及Android裝置上的接收服務。
這些漏洞影響各協議初始連線的握手過程。攻擊者僅需一部手提電腦,便可針對設定為「所有人」接收檔案的裝置,利用將物理距離等同於信任的核心設計缺陷。整個攻擊過程無需先前配對、無需受害者彈出視窗確認,亦無需特定應用程式介入,使其隱蔽性極高。
研究揭露了多種攻擊向量。其中一類漏洞會引致拒絕服務狀態,有效癱瘓目標裝置上的共享服務。更關鍵的是,其他漏洞容許繞過如「僅限聯絡人」等隱私控制設定,並操縱檔案元數據。研究亦發現三星實施方案中存在特定的會話繞過漏洞,以及一個獨立影響谷歌Quick Share Windows版本的缺陷,該缺陷現已修補。
鑒於這些功能在日常生活中無處不在,其影響更為擴大。攻擊者可在機場、咖啡館或交通車站等擁擠的公共場所部署這些攻擊程式,這些地方的裝置常因方便而設定為可發現模式。攻擊的靜默、無提示特性可能造成重大干擾。
蘋果及谷歌均已透過靜默更新應對——蘋果透過iOS及macOS修補程式,谷歌則透過Google Play服務及Windows客戶端更新。然而,缺乏顯著的公開通告或詳細用戶指引,凸顯了溝通缺口。用戶未能知悉其依賴的、持續運作的核心功能的重要修正,仍處於資訊不足的狀態。
這次事件凸顯了更廣泛的架構挑戰。研究人員建議需重新評估「免觸碰」共享的安全模式。未來的協議設計必須摒棄基於物理距離的隱含信任,並在連線握手過程中加入更強的認證驗證步驟,即使作為安全權衡需引入輕微的用戶摩擦。
對用戶及IT管理員而言,當務之急是確保所有裝置更新至最新作業系統版本。作為高風險公共環境下的預防措施,建議將AirDrop和Quick Share設定為更嚴格的模式,如「僅限聯絡人」或「關閉」,以縮減攻擊面。此次發現明確提醒,為無縫互動而建構的便利功能,可能帶來未預見的安全隱患。