Is AirDrop Over-Advertising Your Apple Device?
30th November, 2018 | Cyberprivacy | Entropic
Jump ahead to...
- Guidelines for Using AirDrop
- Securing AirDrop on Your iPhone
- Securing AirDrop on Your iPad
- Securing AirDrop on Your Mac
When properly configured, AirDrop is a handy and secure way to transfer items between Apple devices, such as URLs, Files, Photos and Notes. A significant advantage of using AirDrop, is that items are transferred directly between devices using a decentralized (P2P) peer-to-peer approach, and don't go through a central authority.
This means that your fleeting need to transfer a confidential item to someone, or between devices, doesn't result in a copy being left lying around on an intermediary server somewhere. This is typically the case if you choose to send something to someone via e-mail or instant messaging.
For those of us that use AirDrop to conveniently transfer items between devices, a less considered privacy problem with this feature has to do with the broadcasting of the name of your iPhone, iPad or Mac when you are not using this feature. By default, Apple uses your actual name when naming your device. This, in combination with a discoverability setting might leave you open to harassment or social engineering attacks.
How Does AirDrop Work?
AirDrop relies on a combination of Bluetooth and WiFi to operate correctly, which means these both need to be enabled for it to work. In a nutshell, Bluetooth is used by devices to advertise themselves, and discover other AirDrop devices, and WiFi is used to transfer items between these devices.
Advertising and Discoverability
When it comes to the advertising part, AirDrop has some options that control how discoverable your device is. These are:
- Receiving Off - Your device won't be advertised, and thus you can't receive anything from anyone.
- Contacts Only - Your device will be advertised to your contacts only, when they are within ~33ft (10m) of you. They can request to send you items.
- Everyone - Your device will be advertised to everyone, when they are within ~33ft (10m) of you. They can request to send you items.
When you setup your Apple device for the first time, this option is generally set to "Contacts Only", unless you restore from a backup, in which case this setting might be retained from your previous device settings. However, and you may have wondered why you see so many people around you when you use AirDrop in a public place, this option for some reason tends to be set to "Everyone" - why?
One possible reason is that historically AirDrop, while being a very useful feature, has been buggy when interoperating with other Apple devices with the same or different versions of iOS and macOS. One example of this is that sometimes AirDrop devices don't see each other. The most common remedy for this is to restart both devices.
However, many are led down the path of thinking that this problem is because the person they are sending to is not in their contacts list, or there is some related problem to using the "Contacts Only" option. So, they enable the "Everyone" option to try and make it work, then forget to revert this setting later. The need to transfer an item between devices is usually much higher than the need to remember to reset AirDrop back to the safer "Contacts Only" setting.
Whatever the reason, there are a lot of Apple devices out there with the "Everyone" option enabled by default. Unfortunately, this leaves people open to social engineering attacks, and Cyberflashing, most notably when they are actively using their iPhone, iPad, or Mac in public places. This has been a problem in the past for people, including public figures, and celebrities who have faced harassment when in crowded areas, such as on public transport or events.
Coffee Shop Scenario
Lets review based on the diagram above, which depicts a coffee shop scenario, with some people sitting, and others standing waiting to buy a coffee. We'll use a coffee shop, since arguably on a daily basis, this is an example of a common place where random people, with many different types of devices come together on a daily basis. Other good examples are public transport and events.
Referring now to our diagram above:
- Kathy, who has forgotten that she left her AirDrop set to "Everyone", unlocks her iPhone to pay for her coffee. While unlocked, she is broadcasting her name “Kathy’s iPhone” via AirDrop to everyone within 33ft (10m) around her. When she finishes paying and locks her iPhone again, the broadcasting stops.
- The Attacker, who is sitting outside the coffee shop so as to be less conspicuous, can see Kathy's iPhone, David's iPhone, and Carl's MacBook Air, all of whom have their AirDrop set to "Everyone", and are actively using their devices. The Attacker can also see Dan's iPhone when he unlocks it to pay for his coffee, or send an SMS.
The Attacker can execute a variety of cyberattacks against these people, including Cyberflashing, and social engineering attacks, by attempting to transfer specially crafted photos, URLs, videos, notes, contacts, etc... to them. - The Attacker can also determine which person in the coffee shop is Kathy through simple deduction, using a combination of several observations, including:
- - The proximity of her iPhone
- - Her name Kathy's iPhone being broadcast by AirDrop
- - Her device “...iPhone” (vs. Diana’s “...MacBook”)
- - Observing the broadcasting of Kathy's iPhone appear, then disappear as she unlocks, then locks her iPhone when paying for coffee
- Diana has AirDrop Enabled for "Contacts Only" and is working on her MacBook. She is protected from receiving items via AirDrop from everyone, except from her friend Carl who is in her contacts list.
- Dan, who is in line behind Kathy has AirDrop Enabled for "Everyone" but is not currently using his iPhone, which is locked. He is protected from receiving anything from others via AirDrop, because his device is not currently broadcasting it's name to other AirDrop devices. When he unlocks his device, for instance to pay for his coffee, he will become visible to other AirDrop devices.
- Jeff and Jill are not susceptible to AirDrop attacks, as they don’t have Apple devices. They are subject to different types of attacks, based on their device hardware and operating system that are not in the scope of this article.
- Brian has AirDrop Disabled and is checking his e-mail. He is safe from AirDrop attacks, as he is not visible to others.
How to Secure Your AirDrop Devices
Lets review some settings you can make to prevent strangers sending you unwanted items through AirDrop, and to prevent them from identifying you via the personal details being broadcast by AirDrop.
Conclusion
In this article, we discussed AirDrop - a technology provided in some Apple devices to transfer items between devices. The term Airdrop is also used in cryptocurrency to refer to the typically free distribution of a cryptocurrency to a large number of wallet addresses, as a way to increase support for a token.
Increasing regulation from government authorities, such as the U.S. Securities and Exchange Commission threatens Airdrops as incentives. This is discussed in this article by Christina Comben, originally posted on CoinCentral.com.
If you have any feedback, questions, or suggestions, please let us know.
Acknowledgements:
Photo by Katlyn Giberson on Unsplash