Do Apple AirPods pose a cyber eavesdropping / IoT threat to your company?
One of the most recent innovations in portable music came from Apple back in 2016. After redefining the music scene with iPod in 2001 and the iPhone in 2007, Apple released a brand-new audio accessory that changed the way that many people listened to music: AirPods.
A Bluetooth wireless version of their popular EarPod headphones, AirPods connected effortlessly with all of Apple devices, including iPhone, iPad, and Macs, through wireless Bluetooth. And since their release, they’ve become one of the hottest accessories on the market today.
What Are AirPods?
Admittedly, there were wireless headphones on the market for years before Apple got into the game. The difference was how incredibly portable AirPods were. The wireless earbuds slipped into a tiny charging case about the size of a box of dental floss. And despite people making fun of the way they looked at first, AirPods soon became more than just wireless headphones. They became a fashion statement.
Today, all of the big companies are trying to play catch-up with Apple, including Samsung, OnePlus, Sony, and more. But none of them have been able to capture the unique “magic” of the AirPods.
What’s the Danger in Allowing Them in the Workplace?
If you’re security-minded (especially if you work in IT or TSCM security), then you don’t need to be told about the dangers of remote listening devices, or IoT threats.
Thanks to AirPods, everyone is now wearing wireless Bluetooth headphones everywhere they go, including in the office. And that makes you wonder, what are the possible security concerns that can come from AirPods located in high-security areas of corporations?
Once connected to a mobile device, AirPods and similar wireless devices can maintain their Bluetooth connection for meters. The range of a class-1 Bluetooth connection depends on the version of Bluetooth used. Bluetooth 3 has a range of 10 meters (33 ft), Bluetooth 4 has a range of 60 meters (200 ft), and the new standard of Bluetooth 5, the one used in the second generation of AirPods and the first-gen of AirPods Pro, has a range of a whopping 240 meters (800 ft).
All someone needs to do is take their iPhone or iPad, leave it somewhere innocuous, and connect to it with their pair of AirPods. With the range of Bluetooth 5, this means they could be listening in from the copy room, the hallway, or even a car in the parking lot . . anywhere within 800 feet.
If you want some customer testimonials about the range of AirPods, you can check some out on Apple’s official forums.
How Good is the Sound Quality?
There’s where Apple’s famous engineering comes into play.
Many people use AirPods as a sort of hearing aid. It’s a feature called “Live Listen,” and can help users listen to conversations in noisy environments, or even just across the room.
Live Listen uses the iPhone or iPad’s microphone as a sort of external hearing aid. Once activated, Live Listen reminds active until the AirPods are put back in their case or disconnected from their mobile device. This feature means that, even if the connected iPhone or iPad is hidden somewhere out of sight, it can still clearly pick up conversations within the same room. It’s a wonderful accessibility feature, but is terrifying for security reasons.
Why Are AirPods the Device Accessory of Choice?
Admittedly, AirPods aren’t cheap. There are multiple eavesdropping devices available that have a better range and more reliable connection. So, why use AirPods?
It’s because iPhones and AirPods are innocuous. If you find an iPhone, your first thought isn’t going to be that someone is listening to you. You are simply going to think that someone forgot their iPhone at work. The vast majority of your employees are not going to flag iPhones as a security threat, primarily because they are already EVERYWHERE.
What Can Be Done to Stop This Cyber Eavesdropping / IoT Threat?
Protecting your company’s valuable information from IoT threats is paramount. So, how can you prevent your security from being compromised by something as simple as AirPods?
iPhones and iPads are both indispensable enterprise and personal-connection devices. But, instituting a no “Personal Electronic Device” – PED policy could be the best option. And, if you are going to institute a no PED policy, this ban should also extend to all wireless Bluetooth headphones. HUAWEI FreeBuds 3, for example, look almost identical to Apple’s AirPods and provide similar functionality and range. A policy like this is especially important in areas where sensitive information is discussed on a regular basis.
You must make all of your senior staff aware of this potential IoT threat. If anyone sees an unclaimed iPhone or iPad sitting around the office, they should automatically assume that there is someone on the other end, listening in.
You should also be having periodic TSCM /Cyber TSCM sweeps. These are designed to detect rogue mobile devices, hidden cell phones, and other wireless eavesdropping and hacking devices.
Not only that, you should be making sure that no one has compromised your own personal iPhone or the iPhones or any employees currently working in your office. Consider this: All someone has to do is somehow unlock one of your employee’s iPhones and connect their own pair of AirPods to it. Since no notification pops up when a previously-connected pair of AirPods reconnect to an iPhone, they could be listening in on one of your trusted team member’s devices without them (or you) being any the wiser.
Accessibility technology is a wonderful thing, but can be misused by nefarious actors looking to compromise your company’s security and privacy. The only way you can make sure that you’re protected is for your entire workforce to be aware of threats, and to use Corporate TSCM Services to make sure your business and personal devices are safe and secure. If you want to make sure that your company’s privacy is secure, feel free to contact us today!
About the Author:
J.D. LeaSure, CCISM, is the President / CEO of ComSec LLC, a global provider of world class counterespionage and TSCM / Cyber TSCM™ services. www.ComSecLLc.com