Proximity Sharing Flaws Expose Billions of Devices to Nearby Crashes and Session Bypasses

Researchers at CISPA uncovered six flaws in AirDrop and Quick Share that let nearby attackers crash services on Apple devices or bypass encryption checks on Samsung Android and Google Windows clients. The bugs affect over five billion devices and highlight recurring weaknesses in proximity protocols. Vendors have issued patches, but the findings reveal deeper design lessons for wireless sharing systems.
Proximity Sharing Flaws Expose Billions of Devices to Nearby Crashes and Session Bypasses
Written by Eric Hastings

Security researchers have uncovered six vulnerabilities in the wireless file-sharing systems that billions of smartphones, laptops and tablets rely on every day. The flaws sit inside Apple’s AirDrop and the Google-Samsung Quick Share implementations that now reach across platforms. An attacker standing within wireless range can trigger persistent crashes on iPhones and Macs or slip past handshake protections on Android devices. One memory bug in the Windows version even opens a path toward potential remote code execution.

Arash Ale Ebrahim and Nils Ole Tippenhauer at the CISPA Helmholtz Center for Information Security performed the work. They reverse-engineered proprietary protocols that had received little public scrutiny above the radio layer. Their paper, Protocol Prying: Systematic Vulnerability Research in the Apple AirDrop and Android Quick Share Proximity Transfer Protocols, details the findings. The pair built a custom fuzzer called AirFuzz that mutates data before compression. It raised acceptance rates from under five percent to more than ninety percent and exposed parser weaknesses that manual review might have missed.

More than five billion active devices run one of these two systems. Both wake privileged background services when another device appears nearby. Both parse complex serialized formats—binary plists, CPIO archives, Protocol Buffers, UKEY2 handshakes—without any prior pairing. That design choice makes them attractive targets. But it also creates a broad attack surface reachable from 10 to 30 meters away or across the same Wi-Fi network.

The three AirDrop issues all produce crashes. Yet each reveals a different failure mode. The simplest, labeled V1 in the paper, targets the HTTP path router inside Sharing.framework. A Swift switch statement hits a default case that calls fatalError with an unhandled path. One POST request to an unrecognized URI on the AWDL port is enough. The sharingd daemon dies. AirDrop, AirPlay, Handoff, Universal Clipboard, Continuity Camera and NameDrop all stop working.

An attacker can repeat the request every two seconds. Legitimate transfers drop to zero for as long as the loop continues. No user prompt appears. No tap is required. The device simply becomes unavailable for sharing until the attacker walks away. Apple has already fixed this bug and assigned a CVE, though the advisory remains private. The update arrived in iOS and macOS versions released June 29.

V2 strikes deeper. It exploits unbounded recursion in Foundation’s XML property list parser. A carefully crafted six-kilobyte file containing roughly two hundred nested dictionary elements overflows the stack. The crash affects not only AirDrop but any Apple application that deserializes untrusted plists. That scope covers macOS, iOS, watchOS, tvOS and visionOS. Older iOS 16 builds escaped the bug. Newer releases did not.

V3 lives in Network.framework’s HTTP/1.1 parser. Conflicting headers, negative chunked transfer sizes or oversized bodies trigger a NULL pointer dereference. The result is another clean SIGSEGV. These three pre-authentication flaws required no authentication and no user interaction beyond having AirDrop set to receive from Everyone.

But Apple is not alone. Quick Share implementations show parallel problems. On Samsung Android devices the researchers identified two protocol-layer issues. V4 allows an unauthenticated device to dispatch OfflineFrame messages before the UKEY2 handshake completes. The Nearby Connections component processes KEEP_ALIVE, BANDWIDTH_UPGRADE and CONNECTION_RESPONSE frames without checking authentication state. The server still responds, expanding the pre-authentication surface.

V5 goes further. After a full handshake, three of seven post-handshake frame types bypass the mandatory SecureMessage encryption wrapper. An on-path attacker who has completed the handshake can inject raw frames. A forged CONNECTION_RESPONSE advances the state machine and bypasses consent. KEEP_ALIVE messages prevent timeouts. BANDWIDTH_UPGRADE leaks IP addresses and ports. The flaws were tested on a Galaxy S23 Ultra. Other Android vendors using Google’s Quick Share code may carry similar gaps.

The most serious bug sits in Google’s Quick Share client for Windows. V6 is a heap use-after-free triggered by an endpoint nonce collision. When two connection attempts race at precisely the right moment, one thread tears down an endpoint while another still holds a reference. The program then uses memory it has already freed. A source code comment in the fixed version admitted the exact race had occurred before. The comment read, “We had a bug here, caused by a race with EncryptionRunner.” The new fix reintroduced the same class of flaw.

Google awarded a bounty for the discovery. The company has landed a code change. A CVE is pending. Earlier versions of the Windows client suffered a ten-bug remote code execution chain in 2024. Subsequent patches were bypassed in 2025. The pattern suggests concurrency and endpoint management remain stubborn problems in the Windows implementation.

Help Net Security reported the scale and the researchers’ conclusions on June 30. The article quotes Ale Ebrahim noting that the bugs reflect “common engineering challenges in proximity-based protocols.” Security checks were not enforced at a single boundary. The same architectural pattern appeared in different codebases. He offered three principles for designers of future systems: enforce authentication and encryption at the earliest possible boundary, minimize the amount of privileged code that processes untrusted input, and adopt protocol-aware fuzzing early in development.

The Hacker News covered the story the same day, highlighting that an attacker with only a laptop can disable sharing features on any nearby Mac or iPhone set to receive from anyone. 9to5Mac focused on the Apple side, confirming the crashes render multiple Continuity features unusable for the duration of the attack. No data theft was demonstrated in any of the bugs. The threats remain local denial of service, session bypass and a plausible but unproven remote code execution path on Windows.

Vendors responded through coordinated disclosure. Apple patched one issue and continues work on the others. Samsung forwarded its two bugs to Google, which is investigating. Google fixed the Windows use-after-free and paid the bounty. Patches for iOS, macOS and the Windows app are available now. Users can reduce exposure immediately by changing AirDrop visibility to Contacts Only or turning the feature off when not in use. The same advice applies to Quick Share.

The researchers released their AirFuzz tooling and crash samples on Zenodo to support further study. They reconstructed AirDrop’s seven-layer state machine and its DVZip adaptive compression scheme from binary analysis alone. That level of detail had not been published before. The work stands as the first side-by-side examination of both proprietary stacks above the Bluetooth and Wi-Fi layers.

Industry observers note that proximity protocols have grown more ambitious. Quick Share now interoperates with AirDrop on supported hardware, increasing the number of devices that share the same attack surface. Google’s earlier security blog post on that interoperability emphasized memory-safe Rust components and independent audits. Those measures did not prevent the Windows use-after-free or the Samsung bypasses. The gap illustrates that protocol logic and state-machine design can introduce vulnerabilities even when lower-level memory safety improves.

For security teams inside enterprises the practical risks are clear. Employees in airports, conference centers or open-plan offices may face repeated service disruptions. A determined attacker could target specific executives by looping crashes during key moments. The Windows client’s memory bug, while harder to exploit, could become a vector if an attacker combines it with other weaknesses. No public exploits have surfaced. Yet the proof-of-concept crashes and bypasses are now public.

The findings also expose how little independent analysis these protocols had received until now. Both Apple and Google built fast, convenient sharing tools that operate with minimal friction. Convenience won. The security properties of the application layer stayed opaque. Ale Ebrahim and Tippenhauer have lifted that opacity. Their paper and tools give defenders and future protocol designers a clearer map of where similar systems tend to fail.

Updates will close these specific holes. The broader lesson remains. Privileged daemons that accept complex data from strangers within wireless range demand exhaustive validation at every boundary. They require deterministic state machines and rigorous concurrency controls. And they benefit from continuous, protocol-aware fuzzing rather than after-the-fact audits. The next generation of proximity sharing features will ship on even more devices. Whether they repeat these mistakes depends on how closely engineers study the research published today.

Subscribe for Updates

AppSecurityUpdate Newsletter

Critical application security news and insights developers and security teams need—covering real-world vulnerabilities, emerging risks, and practical remediation without the noise.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us