Apple has fixed a bug in iOS 13.3, out today, which let anyone temporarily lock users out of their iPhones and iPads by forcing their devices into an inescapable loop.
Kishan Bagaria found a bug in AirDrop, which allows users to share files between iOS devices. He found the bug let him repeatedly send files to all devices able to accept files within wireless range of an attacker.
When a file is received, iOS blocks the display until the file is accepted or rejected. But because iOS didn’t limit the number of file requests a device can accept, an attacker can simply keep sending files again and again, repeatedly displaying the file accept box, which causes the device to get stuck in a loop.
Using an open-source tool, Bagaria could repeatedly send files again and again to not only a specific target in range, but to any device set to accept files within wireless range.
Bagaria calls the bug “AirDoS,” the latter part is short for “denial-of-service,” which effectively denies a user access to their device.
Devices that had their AirDrop setting set to receive files from “Everyone” were mostly at risk. Turning off Bluetooth would effectively prevent the attack, but Bagaria said that the file accept box is so persistent it’s near-impossible to turn off Bluetooth when an attack is under way.
The only other way to stop an attack? “Simply run away,” he said. Once a user is out of wireless range of the attacker, they can turn off Bluetooth.
“I’m not sure how well this’d work in an airplane,” he joked.
Apple fixed the bug by adding a rate-limit that prevents a barrage of requests over a short period of time. But because the bug wasn’t strictly a security vulnerability, Apple said it would not issue a common vulnerability and exposure (CVE) score, typically associated with security-related issues, instead “publicly acknowledge” Bagaria’s findings in the security advisory.