A JetBlue flight waiting for takeoff at Newark Airport, USA, was evacuated after members of the crew and some passengers received a photo of a suicide vest via Apple’s AirDrop.
Although the source of the photo is unknown, someone nearby – potentially a passenger, according to a report in the New York Daily News – would have had to share the disturbing picture through the Bluetooth technology.
"In the case of this JetBlue instance, there’s no real way to trace a Bluetooth MAC address to an individual or their device unless you were to confiscate all the devices from the passengers on the flight," said Richard Gold, head of security engineering at Digital Shadows. "Even then, it’s unlikely you’d be able to figure the originating MAC address without forensically examining the devices which received the pictures."
Gold said the issue is a well-known "one that rears its ugly head from time to time," noting "a number of reports of people abusing the AirDrop feature on iOS devices that uses Bluetooth technology to send unwanted photos of various natures to unsuspecting receivers" ever since Apple first introduced in 2011.
"The root of the attribution issue is that MAC addresses are not assigned like IP addresses," said Gold. "This would be like attributing an issue to certain piece of equipment based on its serial number."
Chris Morales, head of security analytics at Vectra, said "the problem isn’t that Bluetooth is hard to trace. It’s that everyone leaves Bluetooth on by default and it is a simple protocol to connect to and is designed for sharing information."
Morales, who admits he used to "walk around with my laptop scanning for exposed Bluetooth listening devices and could send commands to the owner," said "the easiest way to not receive things over Bluetooth is to require a pin for connectivity or to just turn it off."
That’s something Apple has provided for, said Gold. "iOS users can limit who can AirDrop images to them to their contacts," he said. "Users should also always be careful about which pairings they accept."
This article was originally published on SC Media US.