Why iOS7’s AirDrop Is Risky for Business

AirDrop Screen

Apple’s new operating system known as iOS7 comes with a clever feature called “AirDrop.” This much-anticipated feature is similar to the NFC (near field communications) technology that can be found on most Android phones. But the difference between AirDrop and Android’s NFC technology is that AirDrop can be used at a greater distance than its competitors. Also, with Android phones, users must touch the devices together in order to transfer photos, files, and documents, but AirDrop does not require a physical touch between devices to initiate a connection.

AirDrop uses two technologies: a combination of Bluetooth and Wi-Fi Ad-Hoc networks. AirDrop is available to users when they are within a maximum distance of 100 meters, and Wi-Fi is enabled in Ad-Hoc mode. But there’s a problem with both technologies – they can be hacked.

According to Wikipedia, Bluetooth is “a wireless technology standard for exchanging data over short distances (using short-wavelength radio transmissions in the ISM band from 2400–2480 MHz) from fixed and mobile devices, creating personal area networks (PANs) with high levels of security. Created by telecom vendor Ericsson in 1994, it was originally conceived as a wireless alternative to RS-232 data cables. It can connect several devices, overcoming problems of synchronization.” (1)

According to Wikipedia, a Wireless Ad-Hoc network “is a decentralized type of wireless network. The network is Ad-Hoc because it does not rely on a pre-existing infrastructure, such as, routers in wired networks or access points in managed (infrastructure) wireless networks. Instead, each node participates in routing by forwarding data for other nodes, so the determination of which nodes forward data is made dynamically on the basis of network connectivity. In addition to the classic routing, Ad-Hoc networks can use flooding for forwarding data. An Ad-Hoc network typically refers to any set of networks where all devices have equal status on a network and are free to associate with any other Ad-Hoc network device in link range.” (2)

When an iPhone user activates Bluetooth, discovery cannot be turned off. This means that another user with a Bluetooth transceiver in a smartphone or laptop is discoverable to you – and your iPhone is discovering it. The only way to turn off discovery mode is to turn off Bluetooth completely. With the proper software, the devices with Bluetooth can be compromised.

But most people don’t realize this and, instead, always leave Bluetooth in the “On” position on for the sake of convenience. It’s human nature to choose the easy option and not be bothered to constantly go back into the settings app and make changes. This is one reason that Bluetooth is open to attack because as long as it is in discovery mode, anyone with nefarious intent can find another iPhone user or tablet user. (3)

The second technology used by AirDrop is an Ad-Hoc Wi-Fi network. Since Ad-Hoc uses each node to forward data to other nodes, any of the nodes could be an attack vector to steal data from the Ad-Hoc network. This can also be accomplished with spear phishing attacks and other types of social engineering. (4)

As with any Wi-Fi network, distance can be an issue with attack. If you don’t know who else is attached to your network, you cannot control who may be able to access your data. One of the features AirDrop offers is a “show to all” option so that whenever a newer iPhone, iPad, etc., is brought into a room (by its user), it will announce (in technology-speak) that it is available. This is like announcing, “Dinner is now served in the main dining room.” If everyone knows that an iDevice has entered a room, someone can hack it.

And finally, while a device is locked, AirDrop can be activated. This feature is very dangerous. If the phone is stolen, files can be compromised without the benefit of having to crack the device first. Therefore, this “feature” should be disabled when the device is used for business purposes, unless strict security policies are put in place.

The bottom line is that while AirDrop may sound like a good idea in theory, it needs more security embedded into it for data transfers to be considered. Until then, the NFC technology where both devices must touch in order for data to be transferred is much more secure.

While it is true that with time, money, and effort, anything can be hacked. It’s also true that the more difficult it is, the less likely you will be hacked by amateurs. For SMBs, this means you should be wary of new technology until it has been proven safe and effective for the enterprise. You don’t want your data walking out the door without your knowledge.

__________

Sources for This Post:

(1) Wikipedia: Bluetooth

http://en.wikipedia.org/wiki/Bluetooth

(2) Wikipedia: Wireless Ad Hoc Network

http://en.wikipedia.org/wiki/Wireless_ad_hoc_network

(3) Cracking the Bluetooth Personal Identification Number (PIN)

http://www.eng.tau.ac.il/~yash/shaked-wool-mobisys05/

(4) Know the Risks of Ad Hoc Wireless LANs

http://www.airdefense.net/eNewsletters/adhoc.shtm

Image Credit: Apple iOS7 screen shot.

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

wordpress blog stats
Advertisements

About Allan Pratt

Technology and cybersecurity professional with focus on tech news, cybersecurity, networking, infrastructure, data protection, consumer electronics, and social media.
This entry was posted in BYOD, Data Security, Management and Technology, Mobile Computing, Tech Equipment. Bookmark the permalink.

One Response to Why iOS7’s AirDrop Is Risky for Business

  1. Jeff L. says:

    Good article Allan. I had a question about the details though relating to the encryption of communications between the iPhone and the device. I was under the impression information transferred during airdrop sessions was encrypted, is this incorrect?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s