The State of Connecticut shared an “Informational Awareness” notification involving a recent Apple product software upgrade.
“All Apple products that have AirDrop functionality and are running iOS 17 received the NameDrop add-on. The NameDrop is turned on by default in the latest upgrade and allows two iPhone users to activate the feature by holding the top ends of their smartphones together. Once successful connection is made, the phone will prompt the user to unlock the device and continue the NameDrop process. Once unlocked, a contact card displaying the user’s email address, phone number, and contact photo will display on the phone, along with a prompt asking for user input to select “Share” or “Receive Only.” Selecting “Share” will send the user’s contact card to the other device while selecting “Receive Only” allows the other party to send their contact card. The transaction is completed by tapping “Done” on the top left corner of the screen.
Contact sharing is canceled if the two smartphones are moved apart anytime during the process or if the user decides to lock their iPhone using the power button. Even though NameDrop is auto-enabled when the device is updated to iOS 17, it is crucial to note that consent is required throughout the process. A random person on the street cannot just bump into another for a few seconds, and then walk away with the other’s phone number.
Users who wish to turn off the feature can do so by navigating to the following path: (U) Settings -> General -> AirDrop -> Start Sharing By -> Toggle Bringing Devices Together to the left. On this page, you can also change the settings for who can AirDrop information to your phone.
While this feature may pose additional risk in situations where the user may not want to provide another individual with a valid phone number or crowded locations where the device may be left unattended, the length of time and requisite user inputs makes this a low risk attack vector.”
To help promote an individual’s privacy rights with their Apple devices, the Old Lyme Office of Emergency Management recommends device users review the information contained within their contact card and ensure it contains no data they would not want to share with other individuals, and that users maintain positive control of their devices whether they are locked or unlocked.