Image credit: Pedro Dionísio

Today's “Helpful, straightforward advice that would've made absolute zero sense when we were kids” is this: If your Apple device recently received the Astronaut or Space Sloth photo via AirDrop, learn from this and be thankful it wasn't a nasty virus instead.

Now to deconstruct that statement. “Apple” with a capital A refers not to fruit but the tech company that makes Macintosh (Mac) computers, and other gadgets with a lowercase “i” at the beginning of their names: iPhone, iPad, iPod, iWatch, etc. And, according to the Apple company, “AirDrop lets you send files from your Mac to nearby Macs and iOS devices.”

Sounds pretty straightforward so far. Of course, anything that lets you send files can potentially be hijacked so someone else can send files – say, a hacker trying to plant dangerous malware or other viruses on your devices.

Or, less harmfully, a prankster highlighting (or taking advantage of) a little-known AirDrop security flaw by using it to send unsuspecting Mac and iGadget owners an unsolicited picture of a sloth wearing an astronaut's outfit – the Space Sloth.

Last month, on Nov. 10, Josh Lowensohn wrote an oddly confessional article for The Verge tech blog, admitting “I used Apple's AirDrop to troll strangers with photos of space sloths, and it's been going on for months.”

How does he do this?

Each day I get on the train to make the half hour voyage into San Francisco for work, I am surrounded by people using their phones. Many have iPhones or iPads, and have a setting turned on that lets me send them unsolicited files through AirDrop. Where Apple envisioned it as a way to send useful files and websites to friends and acquaintances, I use it to send photos of sloths to strangers. And not just any sloths, but sloths wearing spacesuits.

Lowensohn then discusses the history of the astronaut sloth photo and its creator, digital artist Pedro Dionísio, before going back to the technical features of AirDrop:

By default, the feature is not set to share with everyone. In fact, AirDrop itself is not even turned on until you use it for the first time. But I've found that a surprising number of people have flipped it on, and set it to accept things from the entire world. I assume that's by mistake, but by the time they've realized that, I've already struck. They can, of course, decline the AirSloth, but I know they've seen a small preview of it.

No big deal, right? But suppose that instead of a silly picture of an astronaut with a sloth's head, Lowensohn had chosen to send a nasty, explicitly pornographic picture (as many trolls seem to enjoy doing) – if that happens, you can certainly decline to accept an explicit, not-safe-for-work photo, but you've already seen a small preview of it, and depending on the circumstances it's possible that your kid or your boss did, too.

Even worse, suppose that instead of a photo, obscene or otherwise, Lowensohn had decided to send a virus to infect your device. Once you see that small preview, it's too late to stop it.

Name change

Lowensohn went on to describe how, in order to increase the chance of random iGadgets receiving the Space Sloth via AirDrop, he'd change the name of his phone based on his surroundings:

People name their phones all sorts of obvious and generic things. I, on the other hand, go with a handle that presents the possibility and plausibility of authority depending on the situation. Take the train for instance. It's Bay Area Rapid Transit, or BART for short. When I'm on there, I'll quickly rename my phone "BART." If it's a coffee shop, I'll change it to "Starbucks."

Changing names is a standard operating procedure for malicious hackers, too. Remember last June, when security researchers learned how ridiculously, insanely easy it was for malicious hackers to set up public wi-fi hotspots that looked like legitimate ones? Turns out that if you're a hacker wanting to fool a typical smartphone or tablet into thinking your malware-riddled hacker-bait hotspot is actually, for example, the free wi-fi at your local Starbucks, all you have to do is program your hotspot's electronic signal to say “I'm Starbucks wi-fi.” Then you can easily access any smartphone, tablet or other device that connects to you.

It really is that easy: say you are anyone you want to be, and the device will believe you because somehow its security-software writers made it all the way to adulthood and even a professional software-writing gig without internalizing the important security concept “Sometimes, people lie.”

That particular security flaw is relatively easy for smartphone owners to get around, by turning off the auto-connect features on their mobile devices. And it's similarly easy for iGadget owners to protect themselves from the AirDrop security flaw Lowensohn bragged about last month.

Did Apple ever envision people using it like this? I sure hope so. I can tell you that at a recent technology conference, I happened to be sitting a few feet away from a certain Apple executive and one of the company's PR people. I fired up AirDrop out of curiosity and both their phones immediately popped up, names included. During a break I ventured to ask why he'd left the setting on, and he told me it was to make it easier to share things with friends, and that he just left it on that way. When I told him what I used it for, I got a stern look of disapproval. Maybe they didn't think this through.

Apple action?

So that was the status quo a month ago, a long time in Internet terms, so surely by now Apple's done something-or-other to patch up that potential security leak, no?

No. On Dec. 1, FastCompany technology editor Harry McCracken took to his Twitter account to show the Space Sloth photo and say “Not sure if it's an accident or spam, but I was just AirDropped by a legendary Boston gangster.” Someone using the name Whitey Bulger had sent him the picture, and various people responded by linking to Lowensohn's Verge confessional.

By Dec. 10, the U.K.'s sensationalist Daily Mail tabloid asked its readers “Have you been a victim of SPACE SLOTH?” before pointing out, more reasonably, that the “Viral prank highlights [the] dangers of accepting unknown files using Apple's AirDrop.”

Think about ordinary email spam: you know that whoever sent it is up to no good, and you also know not to click on any links or download any attachments sent with it. Luckily, your email account doesn't have any setting equivalent to “automatically click on any link or download any file attachments in an email” — given the amount of spam email in existence, such a setting would be downright insane.

And you don't want AirDrop set up to automatically accept messages from just anybody, either – even if you don't receive anything worse than a silly photo of an spacefaring sloth.

Share your Comments