Are AirDrop Security Risks Worth the Cost to your Company?

AirDrop is easy, fast, and convenient, but also a risk to employees and your data

Apple introduced AirDrop in 2011 with the launch of iOS 7 and OS X Lion (10.7) as an easy way to transfer files between devices. AirDrop creates a temporary, secure connection using Bluetooth and Wi-Fi. The two devices don’t have to be on the same Wi-Fi network, just within a few feet of each other for AirDrop to connect. AirDrop makes it sharing files as simple as picking the file or link to send, tapping the picture of the person to send it to, and—when the person accepts the file transfer—the file is pushed to them.

And this is where we run into problems.

Either by accident or intentionally, many people leave their devices open to anyone seeing their device to push files to them. There have been spates of people having unsolicited files pushed at them—especially on public transit. Usually the files are meme images, but sometimes the images are offensive or pornographic and sometimes the files are much worse—malware designed to compromise a device.

AirDrop does have the protection that you have to accept the file or link before it lands on your device, but enough people unwittingly tap accept and get the file or link—to make the gambit of sending something to strangers worth it. While images aren’t usually a security risk, at least one AirDrop security risk was found that allowed malicious code to be sent and run on a target device. This makes allowing AirDrop on company phones a security risk if an employee’s phone is unwittingly compromised and used to steal files, hack into your network, or intercept messages sent through the device.

The simple way to prevent AirDrop problems is to turn AirDrop off or set it to be discoverable by contacts only. Most people aren’t aware of the setting, or the risks, which leaves them vulnerable. Using device management software for corporately-owned COBO or BYOD (Bring Your Own Device) you can lock down AirDrop and close this security hole with a couple clicks.

See for yourself—Get a demo of SKY WORK

How does AirDrop work and what are the security issues?

Look how many people I could send this bunny picture to while I was on the train.

Are AirDrop Security Risks Worth the Cost to your Company? 1

I wish this was an extreme example—it’s not. AirDrop works like this:

  • Your device scans the area (a few feet) for discoverable devices.
  • AirDrop scans are like how you connect a Bluetooth speaker or headphones to a phone, an iPhone or Mac has to be “discoverable” by other devices for it to work.
  • To control discoverability, AirDrop has three modes:
    • Off: Safe, but not convenient if you use AirDrop to send a picture quickly between your phone and your Mac.
    • Allow to be discovered by contacts only: People in your address book (email or phone number) can see your device.
    • Allow to be discovered by everyone: Anyone within range can see and find your device. This is where you are most vulnerable.

The third option is the problematic one. People often set AirDrop to be discoverable by everyone when they are trying to get AirDrop to work with someone not in their address book, like quickly sending something to a person at work. You set your iPhone or Mac as discoverable to everyone, send the file or link, and then—you forget about it. Until…

Now any other iPhone, iPad, or Mac within a few feet of you can “see” your device through AirDrop. Most of the time, all that happens is you get bombarded with requests to accept a photo or link. Often these are teen pranks on public transit—as described in this article from The Atlantic—but even a prank can get out of hand as in the case described in this post from Sophos about a woman bombarded with over a hundred images while on the train.

As the Sophos article pointed out AirDropping someone is an updated version of “bluejacking” where early flaws in Bluetooth file exchange protocols allowed the same kind of drive by harassment. So AirBombing isn’t really new, but that doesn’t mean we’re prepared to deal with the security issues.

What is the biggest Airdrop security risk?

It’s easy to shrug off someone getting bombed with racy pictures on transit as a joke (it isn’t) , what’s not so easy to ignore is when the file or link being sent contains a malicious payload designed to compromise the device. This is where the threat to your company, your data, and your employees gets frighteningly real.

In 2015 an Australian security researcher found an AirDrop security flaw that allowed him to access core system files and even replace apps like the phone dialer with a malicious one of his own creation.

iOS 8.4.1 AirDrop Exploit Demo

Apple fixed this problem in an update, but if there is a single truism in computer security it’s if a security hole has been found once, it will almost always happen again.

As useful as AirDrop is, and I use it several times a day to send screenshots to myself or links to websites from my phone to my Mac (and vice-versa), there is a risk to it. There is a risk that another flaw will be found that could get around being discoverable by contacts only and leave iPhone users vulnerable again to malicious attacks. Thankfully using mobile device management (MDM) you can force-disable features like AirDrop and protect your device and the sensitive company data that it surely contains.

How does device management protect against Airdrop security risks?

It’s scary to think you could accept what looks like a harmless file from someone—though you shouldn’t accept files from random people in the first place—and have core apps on your phone replaced with malicious imposters. It’s enough to make anyone suspicious and paranoid about technology. While it’s simple enough for anyone to turn AirDrop off on their phone (see the screenshot below):

Are AirDrop Security Risks Worth the Cost to your Company? 2
AirDrop settings are found in the General Settings on your iOS device

Imagine if you have to manage a raft of company-owned phones. Imagine having 10, 30, 100, 300 phones you need to make sure have AirDrop disabled and stay disabled. There isn’t an easy or efficient way to do that manually. Sending an email to everyone to please turn AirDrop off? Going to every person’s phone and turning AirDrop off (and then have them turn it right back on again)? Neither of those will work. What you can do is roll out a device management system like SKY WORK to not only turn AirDrop off, but make sure it can’t be turned on again.

Device management in a nutshell

Device management systems (DMS) are a set of apps that take care of tedious IT tasks automatically (or automagically) for you. All you need to do is tell the DMS what apps and settings you want on all company phones, have the DMS app installed on the phone, and the rest is taken care of. Settings are updated, passcode policies are set, apps automatically installed (and sometimes configured as well).

You can see at a glance how many devices you have active in your company, who has them, and even where they are. If you need to update a policy, say AirDrop could be enabled but now you want to disable it, updating the security policy in one place pushes that update to all the devices all at once. Basic mobile device management (MDM) can be very handy.

Device management, company devices, and your data

While enforcing settings and automatically installing apps is great—and especially helpful when people use their personal phones for work (aka BYOD)—one of the most powerful parts of device management is how a DMS protects your company’s critical, proprietary data.

People lose their phones all the time, but what happens to your company data on that phone? Without device management you might be able to use Apple’s Find my Phone to locate and erase the device—if someone turned it on. Android phones don’t have a similar app pre-installed or configured, so you might be out of luck there.

With SKY WORK, as soon as you know a device is missing, you can locate it on a map or erase all the company data from the phone leaving personal data untouched.

Device management works by creating work (also called managed) and personal areas on a phone or tablet. For BYOD devices, device management creates a company space on the phone for company information. You can quickly erase all the company data from the phone without touching personal files. On a company owned and managed phone you have complete control over the device and can remotely reset the device to factory settings if needed.

SKY WORK makes device management easy

Device management has typically been something large companies deploy. While the software on phones, tablets, and laptops is easy to deal with, the software to set up and manage a device management system can be excruciatingly difficult to use.

Large enterprises have IT teams dedicated to setting up, maintaining, and monitoring their DMS. This doesn’t fly for the millions of businesses who don’t have a squad of IT ninjas at their disposal. This is why we made SKY WORK. SKY WORK is the DMS you can deploy yourself with no IT team. Sign up, create your account, click to add a device, install the DMS on your phone, done.

Adding your company is as easy as uploading a spreadsheet with email addresses, then sending an email from SKY WORK to everyone to add their device. SKY WORK takes care of the rest. And unlike most device management systems, we charge by the user not the device. We know people have phones, tablets, and laptops that need to be managed so we’ve made it affordable to start using SKY WORK and not have to pick and choose which devices you’ll protect and which you won’t.

See for yourself—Get a demo of SKY WORK