Recent research has uncovered multiple vulnerabilities in Apple’s AirDrop and Google’s Quick Share protocols, enabling attackers within wireless range to crash or disrupt nearby devices without user interaction. These findings highlight significant security flaws in widely used proximity-sharing features across various platforms.
AirDrop Vulnerabilities
Three specific vulnerabilities have been identified in Apple’s AirDrop protocol:
- Unhandled HTTP Path Fatal Error: AirDrop’s sharing daemon employs a Swift path router that triggers a fatal error upon receiving an HTTP request to an unknown URI. An unauthenticated device within Apple Wireless Direct Link (AWDL) range can send a POST request to an unrecognized path on the AirDrop port, causing the sharing daemon to crash. This disruption affects AirDrop, AirPlay, Handoff, Universal Clipboard, and other continuity services.
- Unbounded XML Plist Recursion: The XML property list scanner in Apple’s Foundation framework parses nested dictionary structures without a depth limit, leading to a stack overflow at approximately 180–200 levels of nesting. A crafted AirDrop Discover request containing a deeply nested XML plist can exhaust the stack and crash the process, creating a denial-of-service (DoS) condition wherever untrusted XML plists are processed.
- HTTP/1.1 Parser NULL Dereference: The Network.framework’s HTTP/1.1 connection setup can be manipulated into an inconsistent state using malformed framing, such as negative chunk sizes or conflicting Content-Length headers. This manipulation results in a NULL-pointer dereference in the HTTP parser, crashing the sharing daemon and impacting all continuity services on affected Apple devices.
Quick Share Vulnerabilities
Similarly, three vulnerabilities have been discovered in Google’s Quick Share protocol:
- Pre-Authentication Frame-Processing Bypass: The Nearby Connections layer begins processing certain OfflineFrame messages immediately after receiving a single unauthenticated ConnectionRequest, before completing the UKEY2 handshake. This flaw allows an attacker in proximity to interact with the Quick Share protocol state machine and process attacker-controlled protobuf content without any cryptographic authentication, expanding the zero-click attack surface.
- Device-to-Device Encryption Bypass: After the UKEY2 handshake, three frame types—CONNECTIONRESPONSE, BANDWIDTHUPGRADE, and KEEPALIVE—are still accepted and processed in plaintext if sent as raw OfflineFrame protobufs rather than wrapped in the SecureMessage encryption layer. An on-path attacker on the same network can inject unencrypted control frames into an active Quick Share session, potentially forcing connections into an accepted state, keeping them alive, or leaking endpoint state.
- Windows Quick Share Use-After-Free: Google’s Quick Share client for Windows contains a use-after-free vulnerability that can be exploited to achieve remote code execution. This flaw allows an attacker to execute arbitrary code on the victim’s machine, leading to potential data theft or further system compromise.
These vulnerabilities underscore the importance of rigorous security assessments for proximity-sharing protocols. Users are advised to keep their devices updated with the latest security patches and exercise caution when using these features in untrusted environments. Manufacturers must prioritize addressing these flaws to prevent potential exploitation and ensure user safety.
