14 DAY TRIAL // A Denial-of-Service bug in older versions of iOS allows an attacker to render any nearby iPhones and iPads completely useless by simply spamming them with AirDrop share popups.
Discovered by researcher Kishan Bagaria back in August and baptized AirDoS, the issue essentially blocks iOS devices because the share popup keeps showing up on the screen no matter the action taken on user’s side.
Locking and unlocking the device doesn’t make any difference, as the popup would be displayed again once the user reaches the home screen.
If AirDrop is configured to allow files from “Everyone,” pretty much anyone around you could be the attacker, the researcher explains in an analysis of how the bug works. If “Contacts Only” are configured, then there’s a chance someone in the contact list initiated the attack.
Bug fixes in iOS 13.3 and macOS 10.15.2
The workaround is pretty simple, as you only need to step away from the attacker and exit the range where AirDrop file transfers would work.
“Besides getting away from the attacker, who is also unidentifiable most of the time, you can stop this by turning off AirDrop/WiFi/Bluetooth. This can be done if you can access Control Center from the lock screen but not if you have it disabled. Either way, you can ask Siri to turn off WiFi or Bluetooth. Restarting your device may also give you some time to turn AirDrop off before the attack takes place again,” the researcher explains.
A similar bug also exists on macOS, but in this case the device isn’t locked because users can still interact with the operating system even if the popup is on the screen.
Apple has resolved the bug with the release of iOS 13.3 by introducing a new mechanism technically blocking sending requests from a specific device after three rejected attempts. Patches have also been released for macOS Catalina 10.15.2, Security Update 2019-002 Mojave and Security Update 2019-007 High Sierra.
