Your Apple phone, tablet or computer may be letting anyone within 30 feet put malware on your device, thanks to a flaw in the AirDrop protocol used to send files between devices.
Many Apple owners use AirDrop to share photos, but Mark Dowd, a Sydney, Australia-based security researcher, told ThreatPost and Forbes that the flaw makes sure that AirDrop can also be used for malicious purposes. If AirDrop is set to accept files from anyone, then an app can be installed from across the room, without the device's owner being given any warning dialogues.
Dowd discovered a flaw in AirDrop that lets AirDropped apps escape their "sandbox" and access other parts of the iPhone's internal file system. Using his own Apple developer certificate, he created a proof-of-concept malicious app that begins by tricking the iPhone into accepting his app as pre-approved for installation, which stops the device from asking the recipient to approve the AirDropped file before it is installed.
Annoyingly, even if you have AirDrop file-transfer permissions set to "Off" or "Contacts Only," anyone who can pick up your phone can change the settings to accept files from "Everyone." That's because the toggle for the setting is placed in the Control Center menu, which can be accessed even when a phone is locked. (AirDrop is disabled by default, but plenty of people who use the feature once never turn it off.)
This vulnerability will be partially ameliorated on iPhones and iPads by the free iOS 9 update due today, and on Macs in OS X 10.11 El Capitan, due Sept. 30. Dowd told ThreatPost that the iOS and OS X updates don't fix the problem completely, as they only give the user an option to accept or decline the incoming data and don't completely prevent the sandbox escape. By the time the notification appears, Dowd told Forbes, code can execute.
We recommend Apple users set AirDrop to Off or Contacts Only, remove AirDrop from the Control Center and not leave an iPhone with anybody that you suspect would change the setting to Everyone. (In general, it's best to keep Wi-Fi and Bluetooth, both of which AirDrop needs to function on an iPhone, turned off on your phone when you're not using them.)
AirDrop has been abused to send amusing photos of space sloths or genitals to the phones of unwitting strangers on commuter-railway platforms. However, neither of those "attacks" involved installing malware, and would have needed an enterprise certificate to do so.