Transferring files in your phone has become one of the easiest tasks today. Whether you are sharing pictures or songs, your phone device has got it all covered. However, this connectivity may compromise your privacy and security, especially if it is an apple device.
Recently, a researchers’ group from Northeastern University and the Technical University of Darmstadt in Germany, found flaws that make Apple’s AirDrop and similar services vulnerable to attack. “The worst aspect is that these attacks could happen anywhere. The attacker does not have to be connected to a network”, says Guevara Noubir, a professor of computer sciences and director of Northeastern University’s cyber security graduate program. He was a part of the team.
AirDrop uses Apple Wireless Direct Link. It is a protocol which lets nearby devices to communicate with one another via Bluetooth and Wi-Fi. The researchers found design flaws and implementation bugs that can allow an attacker to crash devices, track users, and intercept files. In their first attack, it was demonstrated that Apple Wireless Direct Link can be used to track a particular device and, acquire personal information about the owner. For instance, if you’re using AirDrop to send a picture to your, you tap the “share” icon, which makes your phone send a signal to wake up any nearby devices. If the friend has his iPhone’s AirDrop set to receive data from anyone, his phone will automatically share identifying information. Every time a contact is added to your phone, it is assigned a condensed, identifying set of numbers. If a nearby device sends a signal with these numbers, your phone will assume the device is in your contacts and reply with more information. Your friend’s phone will recognise this and respond.
In another attack, it was found that communication can be disrupted between two devices, intercept the files being transferred, and pass on their own files instead. They also demonstrated that they could cause a series of devices to crash simultaneously.
So what can be done? “They could redesign it more carefully, with different mechanisms to protect against these attacks. It’s just that it’s difficult once all these devices are deployed. You need it to be compatible” Noubir says.
Shahjadi Jemim Rahman