What is this about “cyberflashing” and how to prevent it?
Taking control of local data-transfer functionality like AirDrop can help you avoid unwanted surprises
Article
Cyberflasher Airdrops rude images to victim’s iPhone | Naked Security (Sophos)
My Comments
A problem that has started to surface for Apple iOS users is the ability for someone to send gross images to strangers courtesy of the AirDrop feature that newer iterations of this platform have. Situations where this typically happened were when the offender and victim were on public transport or in public areas.
This feature makes it easy to share photos between iOS and MacOS X devices in a local area using Bluetooth and Wi-FI technologies and provides a thumbnail image of incoming photos rather than a dialog box asking if you want to receive the image.
This was feasible with Android and other open-frame mobile operating systems courtesy of Bluetooth Object Push Profile but these platforms. especially Android, hardened themselves against this by making your phone undiscoverable by default and providing a narrow time limit for having your phone discoverable by Bluetooth devices. As well, these platforms required your permission to start receiving the file and you didn’t see one bit of that file until you gave the go-ahead.
Android and Windows improved on this using a passcode that you and your correspondent exchange before a file is transferred and the NFC functionality that is part of recent Android versions requires you to physically touch the backs of the phones as part of instigating the data transfer.
The same situation may also crop up with Wi-Fi Aware as it implements Bluetooth local discovery for ad-hoc Wi-Fi networks created by mobile devices and will require users to be able to take control of what notifications and files they receive on their devices if this technology is for transferring files.
Protecting yourself
A good practice to observe is to turn off the AirDrop feature unless you make regular use of it. Or, at least, set AirDrop’s discoverability settings to “Off” or “Contacts Only” rather than “Everyone” so that every man and his dog can’t discover your phone. You would turn this function on if you are expecting a photo from someone not yet in your Contacts List.
In some situations, you may have to disable Wi-Fi and Bluetooth unless you are actually using these features such as linking to a hotspot or using a Bluetooth headset.
You may find that changing your device’s identity to your initials or something innocuous rather than your first name may work wonders in these situations.
I would also prefer that any local data transfer or similar activity between users takes place in a manner where each participant can see each other. This may be at the same table in a café, restaurant or library, the same seating cluster in a lounge area, the same row of seats in a public-transport vehicle or a similar area of close proximity. As well, such activity should be preceded by relevant conversation.
What must be preserved
If a setup allows for local data transfer between computer devices using a wireless medium, there must be a way of allowing the users to confirm their intent to transfer the data between each other. This means that the sender and receiver know whom the data is coming from and to and must occur before a single bit of the actual data changes hands.
This may be through the sender exchanging a simple passcode to the receiver or requiring the devices to physically be near each other at the start of the data transmission. The latter solution may be in the form of NFC where the users touch the backs of their devices together, or a QR code shown on the sending device’s screen that the receiving device has to scan before transmission takes place.
If a user wants to simplify this process, they could create a “trusted recipients” list which can be their Contacts list or a separately-created list. Personally, I would use all of the “friends” in a social network as this list because that tends to encompass too many people and an account can too easily be compromised.
The same thing must also apply to social networks, online gaming and similar services where one user may want to enrol another user in to their personal lists. This is more important if any of these services facilitate the transfer of files between users or support any form of instant messaging.
