Cyber Flashing with AirDrop
The New York Post reported on the plight of 28-year-old Britta Carlson. On 27 July at 6.51pm, she was riding the subway in New York when she received an unsolicited photo of a man’s “disgusting penis”. The image was delivered to her via Apple’s AirDrop facility.
The New York Post describes this as “a new iPhone craze”, so I decided to do a quick experiment into the feasibility of delivering unsolicited messages this way, the security implications and any potential mitigations we could deploy.
AirDrop and I
I use AirDrop about twice a year when a strange situation requires me to send a photo to myself, or my wife and I can’t think of another way. I’m sure there are ton’s of legitimate uses for AirDrop and people use it much more frequently than I.
AirDrop and others
I had a quick look on Twitter, looking for people talking about their cyber flashing and AirDrop experiences:
Ok so we can establish this does go on, sometimes light heartedly and clearly sometimes not. I could have put a thousand more tweets like this in the article, leading me to safely conclude that this is recognised as a viable method of getting a message of some sort to a stranger. Equally, a minority of people seem quite open to the idea of receiving random content from strangers and intentionally leave their AirDrop on and receiving from everyone.
AirDrop from everyone
AirDrop on your iOS device or Mac gives you three options.
- Turn it off
- Allow your contacts only to deliver messages to you
- Allow anyone within range to deliver messages to you
So you’re only prone to receiving anything unsolicited if you’ve told AirDrop you’re happy for anyone to send you messages.
I was once at an event, where someone I’d never met wanted to send me a video they had taken of me. I enabled AirDrop to receive from everyone and he sent me the file. And that’s where the story ends, it was extremely convenient and I didn’t have to give the ‘stranger’ any contact details.
I also didn’t turn it off or switch it back to contacts only.
My survey - take 1
I decided to conduct a small survey to assess how many people are walking around with AirDrop on. I jumped straight into this without really giving it any serious thought, I was in the Supermarket at a relatively busy time, there was a good number of people pushing trolleys and buying food.
Prime AirDrop time right? I chose an innocuous picture from my phone and pretended I wanted to share it. No one was available to receive, so I moved location, walked around a bit, still no one. Time to go back to the drawing board, either nobody had it on or I was doing something wrong.
Back at the office, I ran a few experiments with some iOS devices and everything began to make sense. Now I’m not about to reverse engineer the AirDrop protocol but I did discover some key quirks of how it works that are relevant:
The receiving iOS device must be awake: This is an absolutely key point, the device must be in use. Not unlocked necessarily but the screen must be on. Otherwise, it won’t be listed in the available AirDrop devices. This explains why I couldn’t find any willing participants in the supermarket when they were all busy pushing trolleys.
The range is very limited: I managed a maximum of about 10 metres, but this range drops very quickly if you introduce any kind of obstruction or obstacles.
You must look at the image: You will see a preview of the image before you accept it, whether you want to or not, even if the AirDrop request is from a non-contact.
Your name is given away: Your phone’s name, which typically includes your name, is displayed to anyone scanning for available AirDrop devices.
My survey - take 2
This time before surveying potential recipients, I decided to rename my phone to something more… enticing. I went with “Stacy’s iPhone”, it’s not that I want to receive any crude images or messages but the unfortunate truth is that women are more likely to attract unwanted attention than men. Also be aware, when you change your phone’s name like this, your car will start calling you Stacy.
Now I just needed a location to test this out in. Fortunately, a few days later I found myself at Reading Festival, in a dense crowd of people, all bored waiting for the next musical act to take the stage. A crude calculation, based on a 10m AirDrop radius and a crowd density of approximately 4 people per square metre, gives me a possible audience of about 1260. Obviously, these aren’t all going to be iPhone users, but if we assume only half have an iPhone, that’s still 630 potential AirDrop recipients.
A stream of potential recipients flowed past. The options kept changing as people began to open and close their phones or moved in and out of range. It was tricky to count, but at any one time, there were at least 20 recipients, probably nearer 30 or 40. All the potential recipients gave away at least their first name, many gave away their full name. To be honest, there were nearly too many people, if the crowd had been less dense I would have probably been able to identify who’s who by comparing when they started using their phone with their appearance on my screen.
Just to be clear, I didn’t send anything to anyone, I simply didn’t need to actually send anything to conduct my test. That said, I took a photo of the distant stage just so that if I did happen to accidentally send anything it wouldn’t offend anyone.
In the time since then, I’ve reconfirmed in other environments that it’s not hard to find potential AirDrop recipients. But I (Stacy’s iPhone) didn’t receive a single incoming request for the two weeks I was experimenting with this, and that includes the trip to Reading Festival.
What can Apple do?
It’s obvious that this isn’t a vulnerability as such, but I can think of a couple of obvious improvement that Apple could implement to protect innocent recipients.
The simplest solution is to turn the ‘everyone’ option off automatically after a few minutes. That way, nobody would accidental leave it on. If people really need it on all the time, there could be an override buried deep in settings somewhere.
The second obvious change is not to preview any images before the user has chosen to accept the incoming request. If you haven’t requested anything, you shouldn’t see a preview until you’ve accepted the request, after all, you can’t unsee something!
There have and will always be weirdos and creeps. There’s no doubt that AirDrop gives them a new, potentially anonymous, platform to conduct their ‘activities’ from but the same logic can be applied to social media and other platforms. Ultimately AirDrop wasn’t designed to be used in quite this way but with some simple adjustments that don’t negatively impact usability, Apple can remove AirDrop from the cyber flashers toolbox.