AirDrop and Quick Share threatened by a bug in 5 billion devices. We'll advise on how to defend yourself Home News Researchers from the CISPA center described six security flaws in AirDrop and Quick Share According to them, the vulnerabilities affect over five billion devices with iOS, macOS, Android, and Windows An attacker only needs a laptop and a distance of about 30 meters; the victim doesn't have to click anything Sdílejte: Adam Kurfürst Published: 3. 7. 2026 04:30 Advertisement We take fast file sharing between phones for granted – you tap on the other person’s name, and the photo is on the other side in a moment. However, German researchers seized on this convenience: they uncovered a series of flaws in both AirDrop and Quick Share, due to which an attacker can remotely disable wireless functions for billions of devices. Vulnerabilities affected 5 billion devices How would the attack proceed? How does Quick Share differ from AirDrop? Work on bug fixes is reportedly still ongoing Vulnerabilities affected 5 billion devices Behind the discovery are a duo from the German cyber security center CISPA – Arash Ale Ebrahim and Nils Ole Tippenhauer. In their study, they described a total of six vulnerabilities, three in Apple AirDrop and three in Google’s Quick Share. Together, they affect iOS, macOS, Android, and Windows systems, with allegedly over five billion devices impacted. However, this number includes all devices that use these protocols, so consider it more as an order of magnitude of the problem rather than the number of actually attackable phones. How would the attack proceed? The most unpleasant aspect of the whole thing is the simplicity of the attack. An ordinary laptop with Wi-Fi is enough, and approaching the victim to about 30 meters – no fraudulent link, no pairing, the other party doesn’t have to do anything at all. Then, a single malformed request is sent, which crashes the background service. With AirDrop, this has an unpleasant overlap. The service that handles it in the background also provides AirPlay, Handoff, Universal Clipboard, and Continuity Camera – if it crashes, this entire set of functions suddenly stops working. And by repeatedly sending requests, it can be kept out of operation practically permanently. How does Quick Share differ from AirDrop? While flaws in AirDrop primarily result in crashes, researchers took it further with Quick Share. On a Samsung Galaxy S23 Ultra, they managed to bypass authentication even before devices exchange encryption keys – the protocol reads and processes several data frames before the security part of the handshake occurs. The second flaw then allowed bypassing encryption for frames that follow after connection establishment. AirDrop and Quick Share threatened by a bug in 5 billion devices. We'll advise on how to defend yourself Adam Kurfürst News Adam Kurfürst News However, the most serious piece concerns the client for Windows. It was a use-after-free vulnerability in memory handling, which could lead to arbitrary code execution, a much more serious scenario than just a crash. Google has already patched this particular flaw and paid the authors a bounty from its bug hunter program. Work on bug fixes is reportedly still ongoing But before you panic, one thing mitigates the situation: in most cases, it’s not about data theft, but about denial of service – more about annoyance than phone robbery. Moreover, the attacker must be physically nearby, so it’s not a mass remote exploitation. The exception is the mentioned memory flaw in Windows, which was more serious – and it has already been fixed. What about the other patches? According to researchers, Apple has fixed one of the three AirDrop flaws and assigned it a CVE identification number, while addressing the remaining two. Google, in addition to the Windows flaw, is working on other points as part of a coordinated disclosure. A complete set of fixes is not yet available. However, you can defend yourself even without waiting for updates. The key is not to leave file reception open to everyone: in both AirDrop and Quick Share settings, switch visibility to “Contacts Only”, or simply turn off reception when you don’t need it. For the vast majority of people, this is a perfectly sufficient defense. Do you leave your phone visible to everyone, or only to contacts? Sources: arXiv, Android Authority, The Hacker News, Help Net Security About the author Adam Kurfürst Adam studuje na gymnáziu a technologické žurnalistice se věnuje od svých 14 let. Pakliže pomineme jeho vášeň pro chytré telefony, tablety a příslušenství, rád se… More about the author Sdílejte: AirDrop Android Apple bezpečnostní chyba Quick Share Samsung