When you use AirDrop to send files on an iPhone, it’s possible for people nearby to learn your phone number, warns security firm Hexway.
The iPhone doesn’t directly broadcast its phone number. Instead, it transmits a few bytes of what’s called a hash of the number. A hash is the output of a complex mathematical function that takes a piece of data and essentially generates a fingerprint of it. Secure hash functions, like the one Apple uses, are difficult to reverse, so you can’t simply take a hash value and run an algorithm to determine the original data. That’s why secure websites typically store hashes of passwords rather than passwords themselves, so that if databases leak, hackers can’t immediately determine people’s passwords.
But the trouble with hashing phone numbers is that there’s only a relatively small number of possible numbers, so would-be eavesdroppers can easily store the hashes of all phone numbers in the area codes in their region. Then, when an iPhone transmits an AirDrop message or a password, they can capture those bytes of the hash and look up the number in the table, according to a blog post from Hexway.
Since the transmitted number only has a couple of bytes, there can be multiple possible candidates that match, according to the company.
Apple didn’t immediately respond to an inquiry from Fast Company.
The phones transmit the hashes so that other people’s devices can identify AirDrop messages as coming from trusted contacts, according to Hexway. But if you’re concerned about eavesdroppers learning your phone number, it might be best to avoid using AirDrop in public places.