Skip to content
Naked Security Naked Security

Cyberflasher Airdrops rude images to victim’s iPhone

Apple's AirDrop sends you an image so you can decide whether you want the sender to send it to you. What could possibly go wrong?

Cyberflashing?

Is there such a thing?

Yes, there is, because a London woman recently made a complaint to the police over just such an incident.

It happened thanks to Apple’s AirDrop feature on her iPhone.

AirDrop is supposed to make it easy to send files between Macs, iPhones and iPads, using connections set up automatically by the devices themselves over Bluetooth or Wi-Fi.

The problem is that when AirDrop pops up on your iPhone to asks you if you want to receive a photo, it actually shows you a thumbnail of image in a preview window, to help you make up your mind.

Like this:

In Lorraine Crighton-Smith’s case, however, the thumbnail she received while on the train wasn’t quite a photo of a man’s thumb.

To put not too fine a point on it, the creep sent her a picture of his (or someone’s) penis.

She hit [Decline] but the sender simply tried again.

Crighton-Smith reported the incident to the police, but it seems there wasn’t much they could do given that the evidence they’d have needed to take the incident any further was lost when she declined the image.

When “don’t send” means “already sent”

With hindsight, Apple’s workflow of sending you an image to see if you want the sender to send it to you may not be quite the right way to do it.

Perhaps an option to control or turn off the “thumbnail” feature would be more than just a nice-to-have?

When I went digging to try to get AirDrop working between my iPhone and my Mac, I found that many others had struggled before me.

Suggestions such as “simplify things by making yourself discoverable by Everyone” kept coming up, and that doesn’t seem too risky if all you’re planning on doing is transferring a few files to your friend next to you on the train.

After all, a sender can’t force you to hit [Accept] on your device, so as long as you know who’s going to be sending and when, you’re very unlikely to accept files sent by the wrong person.

Nevertheless, during that window of being “discoverable by Everyone,” a malcontent can pop up images on your device…

…which means you effectively have to accept them as part of refusing them.

Worse still, because AirDrop relies on a combination of Bluetooth and Wi-Fi, any creepy sender will be close by but not necessarily obvious, perhaps watching from another part of the train.

What to do?

Here are some tips to help you being singled out in this way by malcontents, whether they’re aiming to shock you, creep you out or scam you:

  • Avoid making your device “discoverable by Everyone.” If you need to do so for a brief convenience, be careful to turn it back off afterwards.
  • Avoid giving your iPhone or your Mac a name that makes your identity obvious. Lorraine Crighton-Smith’s iPhone was called “Lorraine,” which is more information that passers-by needed to know.
  • Keep connectivity features like Bluetooth and Wi-Fi off when you aren’t using them. It’s a bit less convenient, but it gets you in the habit of “opting in” rather than “opting out.”

To change your AirDrop settings, press the Home button on the front of your iPhone to go the Home Screen, and drag up from the bottom to bring up the Control Center:

Tap the Air Drop icon to configure your visibility:

To rename your iPhone or iPad, go to Settings | General | About and tap on Name:

But what if you do get cyberflashed and want to do something about it?

Unfortunately, for the most useful sort of evidence, you’d need to receive and keep the actual image file, which implies giving the message [Accept] to a creep.

The next best thing is a screenshot, which you can acquire by pressing and holding the Sleep/Wake button on the top or side of your iPhone, then immediately pressing and releasing the Home button.

But beware!

Screenshots count as photos, so if you have any “auto-upload” or auto-synchronisation services turned on that save your photos automatically into the cloud…

…the cyberflasher’s image will join them online.

8 Comments

Duck wrote “With hindsight, Apple’s workflow of sending you an image to see if you want the sender to send it to you may be quite the right way to do it.”

Umm, missing a “not” here? Maybe between “may” and “be”?

Of course, you could just get over the “I have a right to not be offended” attitude, reject the image, a few times if necessary, and get on with your life.

This goes a bit beyond “not being offended,” wouldn’t you say?

Anyway, the content of the image wasn’t the only point of the story. The point was to [a] discuss how software workflow that seems useful may end up being abused and [b] to offer some related tips about security.

What if the creep sends the picture to a child? Would you tell them to “get over it”?

And would you try to apply your argument to a regular, non-cyber flasher? After all, nobody’s *forcing* you to look at his genitals when he jumps out of the bushes in front of you in a dark alley.

I can guarantee that you’ll change your mind if it ever happens to someone close to you.

Why not iCloud lock it ? Once you do that, It’s basically a 300$ paperweight. Also Find my iPhone is a good service too. Icloud locking basically locks him straight out of anything without having the person’s credentials. If my phone got stolen, That’s the first thing i’d do, lock the SOB out of it completely.

The point is that she’d turned on “Everyone” mode, as you do – supposedly without too much risk because of the Decline/Accept popup – and forgot to turn it off.

(Ken Munro, a security researcher who is quoted in the BBC story, suggested another neat feature to go with my “turn off popup thumbnails” option, namely an “turn off AirDrop automatically after N minutes” option. I’d turn that on. Would leave a lot of convenience with greatly reduced risk.)

Holy cow, I did not even know about this. Thank you for the heads up. I have just turned off my iPhone airdrop.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?