Six Zero-Click Vulnerabilities Found in Apple AirDrop and Android Quick Share Proximity Protocols
Tags Security · Infrastructure · Mobile · OSS
Researchers from ETH Zurich performed the first cross-platform reverse engineering and protocol-aware fuzzing of Apple AirDrop and Samsung/Google Quick Share — proximity file-transfer stacks used by over five billion devices. They reconstructed AirDrop's seven-layer state machine and DVZip adaptive compression, built AIRFUZZ (a pre-compression mutation fuzzer), and discovered six pre-authentication vulnerabilities: three in macOS/iOS AirDrop (Swift fatalError DoS in HTTP router, unbounded XML plist recursion in Foundation, NULL dereference in Network.framework HTTP/1.1 parser), two in Samsung Quick Share (pre-auth OfflineFrame dispatch, D2D encryption bypass for three frame types), and one heap use-after-free in Google Quick Share for Windows (bounty awarded). All vendors acknowledged the reports.
Technical significance
This is the first systematic security analysis of the proprietary proximity-transfer stacks that run in privileged daemons on billions of phones and laptops. The attack surface is large (binary plists, CPIO archives, protobufs, UKEY2 handshakes) and reachable without pairing — a true zero-click vector. The findings demonstrate that protocol-aware fuzzing (mutating pre-compression representations) outperforms black-box approaches on complex serialized formats. For defenders, it underscores that undocumented proprietary protocols in privileged processes remain a systemic risk class; for researchers, the AIRFUZZ methodology is reusable against other opaque proximity protocols (Nearby Share, AirDrop alternatives). Patches are pending across Apple, Samsung, and Google ecosystems.