Nearby attackers can crash Apple's AirDrop before users see a file transfer request, temporarily disabling AirPlay, Handoff, Universal Clipboard, and other Continuity features. They're no threat, assuming you're configured properly.

The findings, published on June 30, also identify security flaws in Google and Samsung Quick Share. The CISPA Helmholtz Center for Information Security conducted the research.

Researchers Arash Ale Ebrahim and Nils Ole Tippenhauer analyzed the network protocols behind AirDrop and Quick Share. Their research identified three vulnerabilities affecting Apple's AirDrop implementation.

The team also found three additional vulnerabilities affecting Quick Share on Android and Windows. These attacks require an attacker to be within wireless range of a target device, typically between 10 and 30 meters, without prior pairing, an existing contact relationship, or a shared Wi-Fi network.

On Apple devices configured to receive AirDrop from "Everyone," AirDrop begins handling some incoming network requests before displaying a transfer prompt. The disclosed vulnerabilities primarily disrupt service availability instead of exposing user data.

The researchers didn't identify a way to steal files, bypass Apple's security protections, or execute arbitrary code on affected devices. Instead, the vulnerabilities repeatedly crash the background service that powers AirDrop and several other Continuity features until the service restarts.

One crash can disable multiple Apple features

The Apple vulnerabilities affect a background service called sharingd, which powers AirDrop, AirPlay, Handoff, Universal Clipboard, and Continuity Camera. A crash in sharingd can temporarily disable all of those features.

Small table summarizing six software vulnerabilities, listing ID, target component, vulnerability class, preconditions, and impact, including denial of service, remote code execution, information disclosure, and man-in-the-middle scenariosApple has fixed one reported AirDrop vulnerability and assigned it a CVE identifier

One vulnerability causes "sharingd" to immediately shut down when it receives an unexpected web request. An attacker can repeatedly trigger the crash by sending the malformed request every few seconds, according to the research.

Repeated malformed requests kept sharingd unavailable for as long as the attack continued. Legitimate AirDrop connections couldn't be established until the attack stopped.

A second vulnerability affects Foundation, Apple's core software framework.

The research found that deeply nested XML property list files could cause part of Foundation to run out of stack space. The bug could affect apps on macOS, iOS, watchOS, tvOS, and visionOS that parse untrusted XML property lists.

A third vulnerability uses malformed request headers to crash Apple's system HTTP parser. The flaw also causes a denial-of-service crash.

Quick Share findings extend beyond denial of service

The Quick Share vulnerabilities came from how the protocol enforced authentication and encryption instead of parser crashes. Samsung's implementation processed some protocol messages before authentication finished.

Samsung's version continued accepting certain message types without encryption after the devices had already established an encrypted connection. The flaws allowed some protocol messages to bypass expected authentication or encryption checks.

The team also identified a memory management bug known as a use-after-free vulnerability in Google's Quick Share client for Windows that stems from a race condition between competing connections. Testing showed the flaw could reliably crash the application.

The researchers didn't develop an exploit capable of arbitrary code execution. Google later awarded a bug bounty for the finding.

Apple confirmed that it fixed one reported AirDrop vulnerability and assigned it a CVE identifier, though it hasn't yet published the corresponding security advisory or disclosed the CVE number. The remaining Apple vulnerabilities are still under ongoing disclosure.

Google has fixed the Windows Quick Share use-after-free vulnerability, though a public CVE assignment is still pending. The Samsung-related protocol issues remain under investigation, according to the researchers.

Researchers found similar design challenges across both ecosystems

AirDrop and Quick Share share little underlying code, though the researchers found both platforms expose similar architectural challenges. Both platforms must process incoming network traffic before user interaction, creating a larger opportunity for attackers than many traditional network services.

Ale Ebrahim said the similarities didn't result from shared implementations. Apple's vulnerabilities mostly involved software crashing after receiving unexpected data.

Quick Share's vulnerabilities centered on inconsistent enforcement of authentication checks and concurrency management. The researchers concluded that consistently enforcing security-critical validation at a single boundary can reduce vulnerabilities in complex network protocols.

Additional security advisories could follow as vendors complete their investigations.

How to stay safe

These attacks require an attacker to be nearby and a device configured to accept AirDrop requests from people who aren't already contacts. Most Apple users aren't exposed to that combination during normal day-to-day use.

Users who don't need to receive files from strangers can further reduce exposure by leaving AirDrop set to "Contacts Only" or turning it off when it's not in use.