Leave it to Apple to give customers a feature that quickly becomes the envy of customers on other platforms. Today I’m talking about AirDrop; Apple’s insanely easy way to share files with other iPhone, iPad, or Mac users.
Nathan and I work in a large private school in the Chicago area, and students, faculty and staff with Apple gear love AirDrop. If you read the news then you know AirDrop has a vulnerability that can show your phone number and passwords. Is this a big deal? Yes. For some.
What’s going on? Stay away from Starbucks. Stay away from the Apple Store in the Mall. Stay away from your spouse and kids because you are at risk. Or, so the story goes. Danny Zepeda:
A newly discovered AirDrop security flaw can let anyone with a computer and the right software access critical information such as phone numbers and Wi-Fi passwords
Oh, no! How is that possible? Or, is it something that is possible but not probable?
The Hexway report that started the headline regurgitation and online hysteria:
Simply having Bluetooth turned on broadcasts a host of device details, including its name, whether it’s in use, if Wi-Fi is turned on, the OS version it’s running, and information about the battery. More concerning: using AirDrop or Wi-Fi password sharing broadcasts a partial cryptographic hash that can easily be converted into an iPhone’s complete phone number. The information—which in the case of a Mac also includes a static MAC address that can be used as a unique identifier—is sent in Bluetooth Low Energy packets.
In short, AirDrop has a flaw, a vulnerability, that in the right circumstances– you are near a hacker who knows what to do to exploit it– could disclose information about your device.
Oh, the humanity!
With a proof-of-concept trial, the report was able to gather dozens of iPhones and Apple Watches within range. All that was needed was a computer and sniffer dongle.
Maybe there’s also the need to have someone who knows what they’re doing to turn the vulnerability into an actual exploit, otherwise, with about 1.5-billion iPhones, iPads, Macs, and Apple Watches– with AirDrop– littering planet earth, I think I’ll take my chances; and perhaps get hit by lightning before having someone snitch something from my iPhone via AirDrop.
Hexway calls this issue more of a “behavior” than a “vulnerability” as it is baked into iOS. About the only security measure you can take against this flaw is turning off Bluetooth entirely.
Oh, so it isn’t really an AirDrop vulnerability, but it is a flaw. That nuance is lost on me but the math is not.
If I’m in a situation where paranoia should rule– Starbucks comes to mind– then Airplane mode should help, right? Otherwise, I’m more worried about summertime lightning strikes wile dashing to my car during a Midwest storm than I am about an AirDrop vulnerability that doesn’t show up on YouTube.