Cyber Flashing with AirDrop

Cyber Flashing with AirDrop

The New York Post reported on the plight of 28-year-old Britta Carlson. On 27 July at 6.51pm, she was riding the subway in New York when she received an unsolicited photo of a man’s “disgusting penis”. The image was delivered to her via Apple’s AirDrop facility.

The New York Post describes this as “a new iPhone craze”, so I decided to do a quick experiment into the feasibility of delivering unsolicited messages this way, the security implications and any potential mitigations we could deploy.

AirDrop and I

I use AirDrop about twice a year when a strange situation requires me to send a photo to myself, or my wife and I can’t think of another way. I’m sure there are ton’s of legitimate uses for AirDrop and people use it much more frequently than I.

AirDrop and others

I had a quick look on Twitter, looking for people talking about their cyber flashing and AirDrop experiences:

AirDrop Tweet AirDrop Tweet AirDrop Tweet AirDrop Tweet AirDrop Tweet

Ok so we can establish this does go on, sometimes light heartedly and clearly sometimes not. I could have put a thousand more tweets like this in the article, leading me to safely conclude that this is recognised as a viable method of getting a message of some sort to a stranger. Equally, a minority of people seem quite open to the idea of receiving random content from strangers and intentionally leave their AirDrop on and receiving from everyone.

AirDrop from everyone

AirDrop on your iOS device or Mac gives you three options.

So you’re only prone to receiving anything unsolicited if you’ve told AirDrop you’re happy for anyone to send you messages.

I was once at an event, where someone I’d never met wanted to send me a video they had taken of me. I enabled AirDrop to receive from everyone and he sent me the file. And that’s where the story ends, it was extremely convenient and I didn’t have to give the ‘stranger’ any contact details.

I also didn’t turn it off or switch it back to contacts only.

My survey - take 1

I decided to conduct a small survey to assess how many people are walking around with AirDrop on. I jumped straight into this without really giving it any serious thought, I was in the Supermarket at a relatively busy time, there was a good number of people pushing trolleys and buying food.

Prime AirDrop time right? I chose an innocuous picture from my phone and pretended I wanted to share it. No one was available to receive, so I moved location, walked around a bit, still no one. Time to go back to the drawing board, either nobody had it on or I was doing something wrong.

Back at the office, I ran a few experiments with some iOS devices and everything began to make sense. Now I’m not about to reverse engineer the AirDrop protocol but I did discover some key quirks of how it works that are relevant:

My survey - take 2

This time before surveying potential recipients, I decided to rename my phone to something more… enticing. I went with “Stacy’s iPhone”, it’s not that I want to receive any crude images or messages but the unfortunate truth is that women are more likely to attract unwanted attention than men. Also be aware, when you change your phone’s name like this, your car will start calling you Stacy.

Now I just needed a location to test this out in. Fortunately, a few days later I found myself at Reading Festival, in a dense crowd of people, all bored waiting for the next musical act to take the stage. A crude calculation, based on a 10m AirDrop radius and a crowd density of approximately 4 people per square metre, gives me a possible audience of about 1260. Obviously, these aren’t all going to be iPhone users, but if we assume only half have an iPhone, that’s still 630 potential AirDrop recipients.

A stream of potential recipients flowed past. The options kept changing as people began to open and close their phones or moved in and out of range. It was tricky to count, but at any one time, there were at least 20 recipients, probably nearer 30 or 40. All the potential recipients gave away at least their first name, many gave away their full name. To be honest, there were nearly too many people, if the crowd had been less dense I would have probably been able to identify who’s who by comparing when they started using their phone with their appearance on my screen.

Just to be clear, I didn’t send anything to anyone, I simply didn’t need to actually send anything to conduct my test. That said, I took a photo of the distant stage just so that if I did happen to accidentally send anything it wouldn’t offend anyone.

In the time since then, I’ve reconfirmed in other environments that it’s not hard to find potential AirDrop recipients. But I (Stacy’s iPhone) didn’t receive a single incoming request for the two weeks I was experimenting with this, and that includes the trip to Reading Festival.

What can Apple do?

It’s obvious that this isn’t a vulnerability as such, but I can think of a couple of obvious improvement that Apple could implement to protect innocent recipients.

The simplest solution is to turn the ‘everyone’ option off automatically after a few minutes. That way, nobody would accidental leave it on. If people really need it on all the time, there could be an override buried deep in settings somewhere.

The second obvious change is not to preview any images before the user has chosen to accept the incoming request. If you haven’t requested anything, you shouldn’t see a preview until you’ve accepted the request, after all, you can’t unsee something!

Conclusion

There have and will always be weirdos and creeps. There’s no doubt that AirDrop gives them a new, potentially anonymous, platform to conduct their ‘activities’ from but the same logic can be applied to social media and other platforms. Ultimately AirDrop wasn’t designed to be used in quite this way but with some simple adjustments that don’t negatively impact usability, Apple can remove AirDrop from the cyber flashers toolbox.