Tuesday, November 28, 2023

Security alert: there are questions about Apple's new NameDrop feature

 

A surprising number of police departments and other security agencies are issuing warnings about Apple's new NameDrop feature in the latest version of its iPhone operating system.  Here, for example, is what the Oakland County Sheriff's Office in California had to say:


IPHONE PRIVACY INFORMATION

If you have an iPhone and have completed the recent iOS 17 update, they have set a feature called “NameDrop” to default to ON after completing the update.

This feature allows you to share your contact information by being next to another iphone. In that section, you can also limit who can be the recipient of your AirDrop.

To shut this off go to Settings, General, AirDrop, Bringing Devices Together. Change to OFF.

And yes, we know that it allows you to share it and you can refuse but many people do not check their settings and realize how their phone works.  This particular setting defaults to on rather than have you opt in. And again, it is the area where you also decide who can access AirDrop.

PARENTS:  Don’t forget to change these settings after the update on your children’s phones as well.


In response to all these warnings, multiple media and technology resources are claiming that the threat isn't as bad as it seems, and is being overblown.  However, I want to know why the feature is switched on in the first place.  Surely, if it was in any way concerned about security, Apple should have installed the new version of its operating system with the feature switched off, so that users would have to make an informed, conscious decision to turn it on, in full awareness of any security risk that might result?  That, to me, would be the mature, sensible way to do it.  However, I'm not Apple, and the company clearly doesn't see it that way.

Fortunately, I don't have to worry about this particular feature, because I don't use an iPhone.  However, I'm sure someone will bring out something similar for Android phones in the not too distant future . . . so all of us in the non-Apple cellphone universe should learn from this, and be on our guard.

Peter


12 comments:

Anonymous said...

FWIW, when I checked the settings the options were which was the default



was on by default

Plague Monk said...

I was on a DoD contract a few years back, and the security officer told us that he didn't think either Androids or Apple phones were at all secure. I've never owned either one, and while that limits me in some senses(I'd like to be able to control my reef tank settings via Bluetooth), I'd rather minimize the security risk.

Javahead said...

Developers seem to have the mindset “we worked so long to add this feature - of COURSE you want it enabled.”

Bluetooth noticeably reduces the time a single charge lasts. I don’t use Bluetooth very often, usually just when I’m listening to music, so I turn it off if I’m not using it. As I do with wifi when not at home, both for security and to extend battery life. But every update turns both on by default.

Now one more thing to remember to disable each time.

Magson said...

@Plague Monk -- For a long time, the fedgov considered iOS and Android to be completely insecure. All fedgov phones were required to be Blackberry units, as they were considered to be secure. Too bad RIM ended up going out of business, no?

Old NFO said...

I 'think' this was a convenience item for those who didn't know how to manipulate their iPhones. Was it a good idea? Hell no!

kamas716 said...

Before this morning I had never heard of "Name Drop" before. I'm not a fan of iOS to begin with, and have never felt their stuff was any more intuitive than other operating systems, but their recent couple of decades of history seems very suspicious to me.

Anonymous said...

I'm still on the older iOS, and have all AirDrop turned off by default. Like other data sharing options. I went through and disabled anything I don't use on a daily basis. It drives my tech-mad sibling batty. (A side benefit.)

TXRed

SiGraybeard said...

I was using an obsolete year/model iPhone until this weekend. My wife and I had the same model and her phone seemed moments from hard failure (battery would discharge 10% every half hour), so we got replacements. The old phone wasn't upgraded from the introduction of OS16 so this is something I didn't even know existed.

From everything I've seen, heard and read, neither Android nor iOS is particularly secure but iOS might be better for routine updates to protect about new malware and other hacker threats. You've got to know the Feds crack into everything.

Much like Windows or any other system you get these days, a bunch of crap that you don't want will be turned on by default. Software design for these things is so much in the mode of "change for the sake of change" or "change because a screaming minority asked for it" that the vast majority of changes should be ignored. It's not getting the choice that's annoying.

Zaphod said...

@PlagueMonk:

A properly updated and used Android or iPhone is secure enough from most casual third party security threats. By that I mean that you won't get pwned by some script kiddie down at the mall as you walk past each other.

Neither can never be safe from FedGov or foreign state actors... or anyone who can get access to the spyware so kindly marketed by your Greatest Ally to any and all governments.

Most people should just be concerned about not having too lax security settings on their phones and keeping up with security updates and only installing Android Apps from trustworthy repositories (i.e. Google Play Store, F-Droid).

Want fairly secure comms: use Session or Signal. But all that does is stop FB and friends from collecting your metadata. If you're a person of interest, the Federal Bodysnatching Initiative doesn't need to break encryption -- it just hacks your phone remotely and logs keystrokes etc. at the OS or even processor microcode level.

There are no secure comms unless you have a radioactive decay source of entropy and make your own one-time pads in a shielded room and distribute them via a network of highly-trained gerbils rescued from Richard Gere's basement.

Blackberries were totally compromised at server level by No Such ... and Big 4+1. Secure against script kiddies sure. I don't t think that Federal employees were permitted to take them on vacation to the Great Wall of China and the Fleshpots of Shanghai.. Nothing is *that* secure.

Something for all the instinctive reflex China hating Barcalounger Boomers to contemplate. Perhaps with a bit of research a properly set up Huawei phone would make a good communication device: You're really worried about Fu Manchu analysing your precious bodily fluids from half a planet away and not about some Social Justice Warrior or Governmental Commissar in the USA who can and eventually *will* reach out and touch you? Open your minds :P

Still best to use the Gerbils. Or remain silent.

Hamsterman said...

@Zaphod,

Hate to break this to you, but the gerbils work for me.

Tsgt Joe said...

Great timing on this article. I just went and ordered an Iphone and Ipad for my wife for Christmas. I just looked in my Ipad and it had downloaded ios17 this afternoon, it was 16 something this morning. Airdrop was open to contacts! My wife is going on and on about how crazy it is and "who would possibly want such a thing". I told her we're early boomers, its not for us. We are in our mid 70's and a lot has us scratching our heads.

Zaphod said...

@Hamsterman:

You do realise that could be misconstrued? :D