The feature in Apple mobile devices that allows people to send photos to nearby phones via Bluetooth is at the heart of a terrorism scare on a JetBlue flight over the weekend.
According to the New York Daily News, a prankster sent a photo of a suicide vest to everyone who had an Apple device on the plane, using AirDrop.
The plane was about to take off from Newark Liberty Airport on Saturday, bound for Tampa, Fla., but had to be evacuated and searched after the photo popped up on passengers’ phones, including two flight attendants’ devices. Sources speaking to the Daily News said that the pilot immediately declared an emergency and that people, luggage and cargo were taken off the plane onto the tarmac. Bomb-sniffing dogs were brought in, but nothing was found.
AirDrop allows anyone to send a photo to anyone else with AirDrop turned on within a range of about 30 feet. Users can change the AirDrop settings to only receive messages from friends, or they can choose to receive content “from everybody.” The latter setting has presented problems before, such as the trend of men on the subways of London and New York sending unsolicited sexually explicit pics to unsuspecting people on the train.
Some on Twitter have pointed out that AirDrop doesn’t automatically support sending content en masse, meaning that the perpetrator in the JetBlue case would be challenged to send the picture to every iPhone that was set up to receive it:
https://twitter.com/maru37/status/1150583756241199105
However, Chris Morales, head of security analytics at Vectra, told Threatpost that “It isn’t that hard to build a batch job that would send a photo to everyone.”
In terms of tracking down the person responsible, clearly it would have had to be a person on the plane since the aircraft was taxiing at the time. Authorities are reportedly investigating the issue, but tracking the photo back to a specific device is difficult; AirDrop is essentially anonymous, security experts said.
“In the case of this JetBlue instance, there’s no real way to trace a Bluetooth MAC address to an individual or their device unless you were to confiscate all the devices from the passengers on the flight,” Richard Gold, head of security engineering at Digital Shadows, told Threatpost. “Even then, it’s unlikely you’d be able to figure the originating MAC address without forensically examining the devices which received the pictures.”
The root of the attribution issue is that MAC addresses are not assigned like IP addresses, he added: “This would be like attributing an issue to certain piece of equipment based on its serial number.”
Morales noted that Bluetooth’s weakness is its ease of use, which can get non-tech-savvy users into security trouble.
“The problem isn’t that Bluetooth is hard to trace,” he said. “It’s that everyone leaves Bluetooth on by default and it is a simple protocol to connect to and is designed for sharing information. I used to admittedly walk around with my laptop scanning for exposed Bluetooth listening devices and could send commands to the owner. It is very easy.”
Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More