AirDrop and Quick Share Flaws Allow Attackers to Crash Nearby Devices

Related

Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

What happened Threat actors are exploiting a critical Langflow vulnerability...

BlueHammer Microsoft Defender Flaw Exploited in Ransomware Attacks

What happened CISA updated its Known Exploited Vulnerabilities catalog to...

Critical Dell Wyse Vulnerabilities Enable Remote Code Execution

What happened Dell Technologies released a critical security advisory for...

Insurance Regulators Group NAIC Hit in Oracle PeopleSoft Hack

What happened The National Association of Insurance Commissioners confirmed it...

Hackers Now Exploit Critical Oracle E-Business Suite Flaw in Attacks

What happened Attackers have begun exploiting a critical vulnerability in...

Share

What happened

Security researchers disclosed multiple vulnerabilities affecting Apple AirDrop and Google and Samsung Quick Share that could allow attackers within wireless range to crash or disrupt nearby devices without user interaction.

Researchers from the CISPA Helmholtz Center for Information Security conducted a reverse-engineering and protocol-aware fuzzing study of AirDrop and Quick Share across macOS, iOS, Android, and Windows.

The research uncovered six distinct issues. Several of them enable remote denial-of-service attacks by crashing system daemons responsible for file sharing and continuity features.

Three vulnerabilities affect AirDrop’s application-layer stack in current macOS and iOS releases.

The first AirDrop issue involves an unhandled HTTP path fatal error. AirDrop’s sharing daemon uses a Swift path router that triggers a fatal error when it receives an HTTP request to an unknown path. An unauthenticated device within Apple Wireless Direct Link range can send a request to an unrecognized path on the AirDrop port and crash the sharing daemon.

That crash can disrupt AirDrop, AirPlay, Handoff, Universal Clipboard, and other Apple continuity services.

The second AirDrop issue involves unbounded XML property list recursion. A crafted AirDrop Discover request containing deeply nested XML data can exhaust the stack and crash the affected process.

The third AirDrop issue affects Network.framework’s HTTP/1.1 parser. Malformed HTTP framing, such as negative chunk sizes or conflicting content-length headers, can force the parser into an inconsistent state and trigger a crash.

Three additional vulnerabilities affect Quick Share implementations on Samsung Android devices and Google’s Quick Share client for Windows.

One Quick Share issue allows certain frame messages to be processed before the UKEY2 handshake completes. This gives an attacker in proximity a way to interact with the Quick Share protocol state machine and process attacker-controlled content before cryptographic authentication.

Another issue allows certain control frames to be accepted in plaintext after UKEY2, even though they should be protected by the SecureMessage encryption layer. An attacker on the same network could inject unencrypted control frames into an active Quick Share session.

The Windows Quick Share issue is a race-condition use-after-free in endpoint management. When two connections collide on the same identifier and nonce, a worker thread can dereference a freed object, causing reliable denial of service and creating a possible path to code execution under certain conditions.

The researchers responsibly disclosed all six vulnerabilities to Apple, Samsung, and Google. Apple acknowledged the AirDrop issues and is developing fixes. Google awarded a bounty for the Windows Quick Share issue and is investigating the Quick Share protocol flaws.

Who is affected

Apple users may be affected if they use macOS or iOS devices with AirDrop and continuity services enabled.

Samsung Android users and Windows users of Google Quick Share may also be affected by the Quick Share vulnerabilities.

The practical risk is highest in proximity-based environments where attackers can get within wireless range or the same network as target devices. This includes offices, conferences, schools, airports, hotels, public transportation hubs, and other crowded environments.

Organizations with managed Apple, Android, and Windows fleets should pay attention because the vulnerabilities affect common device-to-device sharing workflows that users may leave enabled by default.

Why CISOs should care

These vulnerabilities show how proximity-sharing protocols can create zero-click disruption risk. AirDrop and Quick Share are designed to make nearby device interaction seamless, but that same convenience expands the attack surface when protocol parsing or authentication boundaries fail.

For CISOs, the main concern is availability and operational disruption. A nearby attacker may be able to repeatedly crash sharing or continuity services without user interaction, affecting productivity and device reliability in high-density work environments.

The Quick Share findings also highlight trust-boundary concerns. Processing frames before authentication or accepting plaintext control messages after authentication weakens assumptions about how secure proximity-sharing sessions behave.

The Windows use-after-free issue also deserves attention because memory safety bugs can sometimes evolve beyond denial of service. Even where code execution is only plausible under specific conditions, managed environments should treat the issue as more than a nuisance crash.

3 practical actions

  1. Restrict proximity-sharing features where they are not needed: AirDrop and Quick Share are convenient but expand local attack surface. CISOs should use device management policies to limit these features on high-risk devices, sensitive workstations, or managed fleets where file sharing is not required.
  2. Apply vendor fixes as they become available: The vulnerabilities were disclosed to Apple, Samsung, and Google. Security teams should monitor patch releases for macOS, iOS, Android, Samsung devices, and Quick Share for Windows, then prioritize updates across managed endpoints.
  3. Review device-sharing policies for crowded environments: The attacks require wireless proximity or same-network access. Organizations should provide guidance for conferences, airports, shared offices, schools, and travel scenarios where employees may be near unknown devices or hostile networks.
IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.