AirDrop is easy, fast, and convenient, but also a risk to employees and your data
Apple introduced AirDrop in 2011 with the launch of iOS 7 and OS X Lion (10.7) as an easy way to transfer files between devices. AirDrop creates a temporary, secure connection using Bluetooth and Wi-Fi. The two devices don’t have to be on the same Wi-Fi network, just within a few feet of each other for AirDrop to connect. AirDrop makes it sharing files as simple as picking the file or link to send, tapping the picture of the person to send it to, and—when the person accepts the file transfer—the file is pushed to them.
And this is where we run into problems.
Either by accident or intentionally, many people leave their devices—iPhones particularly—open to anyone seeing their device to push files to them. There have been spates of people having unsolicited files pushed at them—especially on public transit. Usually the files are meme images, but sometimes the images are offensive or pornographic and sometimes the files are much worse—malware designed to compromise a device. AirDrop does have the protection that you have to accept the file or link before it lands on your device, but enough people unwittingly tap accept and get the file or link—to make the gambit of sending something to strangers worth it. While images aren’t usually a security risk, at least one flaw in AirDrop was found that allowed malicious code to be sent and run on a target device. This makes allowing AirDrop on company phones a risk to your company if an employee’s phone is unwittingly compromised and used to steal files, hack into your network, or intercept messages sent through the device.
The simple way to prevent AirDrop problems is to turn AirDrop off or set it to be discoverable by contacts only. However most people aren’t aware of the setting, or the risks, which leaves them vulnerable. Luckily if you use device management, either for corporately owned devices or BYOD (Bring Your Own Device), you can lock down AirDrop and close this security hole with a couple clicks. First let’s understand how AirDrop works, the malware issue that arose, and the trade off of enabling or disabling AirDrop.
How AirDrop works and how it could become a problem
To send a file through AirDrop, your device scans the area (a few feet) for other available devices. AirDrop scans are like how you connect a Bluetooth speaker or headphones to a phone, an iPhone or Mac has to be “discoverable” by other devices for it to work. To control discoverability, AirDrop has three modes: Off, Allow to be discovered by contacts only, Allow to be discovered by everyone. The first two are easy to understand, if someone is in your address book (their email or phone number that is associated to their iOS device or Mac), then you see their device to send something to. Off, is off, which is safe, but not convenient if you use AirDrop to send a picture quickly between your phone and your Mac. The third option is the problematic one. People often set AirDrop to be discoverable by everyone when they are trying to get AirDrop to work with a friend or colleague. That person might not be in your address book so you set your iPhone or Mac as discoverable to everyone, send the file or link, and …
Promptly forget to AirDrop off or set to contacts only.
Now any other iPhone, iPad, or Mac within a few feet or you can “see” your device through AirDrop. Most of the time, all that happens is you get bombarded with requests to accept a photo or link. Often these are teen pranks on public transit—as talked about in this article from The Atlantic—but even a prank can get out of hand in the case of a woman hit with over a hundred images on the train (via Sophos Naked Security). As the Sophos article pointed out AirDropping someone is only and updated version of “bluejacking” where early flaws in Bluetooth file exchange protocols allowed the same kind of drive by harassment. Still new technology brings new headaches to all of us.
It’s easy to shrug off someone getting bombed with racy pictures on transit as a joke (though in many places, sending unsolicited pictures like that is against the law) , what’s not so easy to ignore is when the file or link being sent contains a malicious payload designed to compromise the device. This is where the threat to your company, your data, and your employees gets frighteningly real.
In 2015 an Australian security researcher found a flaw in AirDrop that allowed him to access core system files and even replace apps like the phone dialer with a malicious one of his own creation. The flaw was introduced with iOS 9 that year and thankfully Apple fixed this problem in an update to iOS 9 soon there after. However, if there is a single truism in computer security it’s if a security hole has been found once in something it will almost surely happen again. At this time there are no known threats to AirDrop as serious as this hijacking flaw found and fixed in 2015, but that might not remain the case forever. As useful as AirDrop is, and I use it several times a day to send screenshots to myself or links to websites from my phone to my Mac (and vice-versa), there is a risk to it. There is a risk that another flaw will be found that could even get around being discoverable by contacts only and leave iPhone users vulnerable again to malicious attacks. Thankfully using a Device Management System you can force disable features like AirDrop and protect your device and sensitive data that is surely contains.
How Device Management protects your company and employees
It’s scary to think you could accept what looks like a harmless file from someone—though you shouldn’t accept random files from people in the first place—and have core apps on your phone replaced with malicious imposters. It’s enough to make anyone suspicious and paranoid about technology. While it’s simple enough for anyone to turn AirDrop off on their phone (see the screenshot below):
Imagine if you have to manage a raft of company-owned phones. Imagine having 10, 30, 100, 300 phones you need to make sure have AirDrop disabled and stay disabled. There isn’t an easy or efficient way to do that manually. Sending an email to everyone to please turn AirDrop off? Going to every person’s phone and turning AirDrop off (and then have them turn it right back on again)? Neither of those will work. What you can do is roll out a device management system like Sky Work to not only turn AirDrop off, but make sure it can’t be turned on again.
Device management in a nutshell
Device management systems (DMS) are a set of apps that take care of tedious IT tasks automatically (or automagically) for you. All you need to do is tell the DMS what apps and settings you want on all company phones, have the DMS app installed on the phone, and the rest is taken care of. Settings are updated, passcode policies are set, apps automatically installed (and sometimes configured as well). You can see at a glance how many devices you have active in your company, who has them, and even where they are. If you need to update a policy, say AirDrop could be enabled but now you want to disable it, updating the security policy in one place pushes that update to all the devices all at once. Very handy.
Device management and your company data
While enforcing settings and automatically installing apps is great—and especially helpful when people use their personal phones for work (aka BYOD)—one of the most powerful parts of device management is how a DMS protects your company’s critical, proprietary data. People lose their phones all the time, but what happens to your company data on that phone? Without device management you might be able to use Apple’s Find my Phone to locate and erase the device—if someone turned it on. Android phones don’t have a similar app pre-installed or configured, so you might be out of luck there. However with a DMS like Sky Work, as soon as you know a device has gone missing you can locate it on a map or in a couple clicks erase all the company data from the phone leaving personal data untouched. Device management works by creating a work (also called managed) and personal areas on a phone or tablet. For a personal phone someone is using for work, device management creates a company space on the phone for company information. You can quickly erase all the company data from the phone without touching or interfering with the personal files. On a company owned and managed phone you have complete control over the device and can remotely reset the device to factory settings if needed.
Sky Work is device management made easy
Device management has typically been something large companies deploy. While the software on phones, tablets, and laptops is easy to deal with, the software to set up and manage a device management system can be excruciatingly difficult to use. Large enterprises have IT teams dedicated to setting up, maintaining, and monitoring their DMS. This doesn’t fly for the millions of businesses who don’t have a squad of IT ninjas at their disposal. This is why we made Sky Work. Sky Work is the DMS you can deploy in as little as 15 minutes. Sign up, create your account, click to add a device, install the DMS on your phone, done. Adding your company is as easy as uploading a spreadsheet with email addresses, then sending an email from Sky Work to everyone to add their device. Sky Work takes care of the rest. And unlike most device management systems, we charge by the user not the device. We know people have phones, tablets, and laptops that need to be managed so we’ve made it affordable to start using Sky Work and not have to pick and choose which devices you’ll protect and which you won’t.
If you’d like get early access to Sky Work and start a 30-day free trial (no credit card required), sign up below: