AirDrop: a serious vulnerability in OS X and iOS

Whilst you are busy downloading today’s updates – so far I count iOS 9, Xcode 7.0, and iTunes 12.3, but not watchOS 2.0 of course – you might like to take the opportunity to rethink your use of WiFi when your Mac or iOS device could be eavesdropped by another WiFi device.

The reason is explained in Kaspersky Labs’ article about a newly discovered vulnerability in AirDrop, which could allow an attacker to use AirDrop to drop you malicious files, even in ‘protected’ folders, and without your being able to block them.

This has been demonstrated as a means of placing a malicious app on an affected system without any of the security checks on code signatures. Given a little time, an attacker could install an Enterprise provisioning profile on an iOS device, which would even suppress warning prompts as they then installed other malicious software.

However iOS 9 does contain a mitigation, though not apparently a complete fix. It is not clear when this will be addressed in OS X, but hopefully this will be included in the initial El Capitan release.

In the meantime, the only defence is to turn WiFi networking off whenever you think that someone could use AirDrop to attack you, particularly in public places. Which kind of defeats the object of having WiFi in the first place, I fear.