Apple is working to patch three security vulnerabilities in AirDrop that allow someone within roughly 30 meters to remotely disable AirDrop, AirPlay, Handoff, Universal Clipboard, and Continuity Camera on nearby iPhones and Macs, with no interaction required from the target.
Security researcher Arash Ebrahim disclosed the findings this week after following responsible disclosure procedures with both Apple and Google, which faces similar vulnerabilities in its Quick Share feature for Android devices.
Apple has patched one of the three flaws and assigned it a CVE identifier, but the remaining two are still under coordinated disclosure with no public details released yet.
What an attack actually looks like
An attacker needs only a laptop with Wi-Fi and physical proximity to potential targets. No shared network, no prior contact, no pairing of any kind.
On devices configured to receive AirDrop from Everyone, the underlying protocol begins responding to incoming requests before any on-screen prompt appears, which creates the exposure.
The simplest of the three flaws triggers a crash through a single short network request sent to an unrecognized path in AirDrop’s code. That one request takes down not just AirDrop but also AirPlay, Handoff, Universal Clipboard, and Continuity Camera simultaneously.
When the same request is sent repeatedly every few seconds, those services stay down for as long as the attack continues. Testing confirmed that all legitimate connection attempts failed during the attack and resumed normally after the attack stopped.
No data stolen, but services go dark
The vulnerabilities do not expose files, photos, or personal data to an attacker. The consequence is a denial of service: Apple’s proximity features stop working on affected devices until the attacker moves out of range or stops the attack.
For someone in an airport, conference center, or crowded public space, that could mean AirDrop transfers, AirPlay connections, and iPhone-to-Mac handoff features all become unresponsive without any obvious explanation.
Ebrahim noted that the vulnerabilities appearing across both Apple and Google platforms, despite the two systems sharing almost no underlying code, reflect a structural challenge in how proximity-based wireless features are built.
Services designed for seamless, frictionless use must process incoming data from unknown sources before any authentication or user approval takes place. That design requirement creates an attack surface that is difficult to eliminate entirely.
Changing AirDrop’s receiving setting from Everyone to Contacts Only limits exposure, since devices in that mode are less responsive to requests from unrecognized sources during the early protocol phases. Apple has not publicly confirmed a timeline for the remaining two fixes.