Apple has fixed a bug in iOS 13.3, out today, which let anyone temporarily lock users out of their iPhones and iPads by forcing their devices into an inescapable loop.
Kishan Bagaria found a bug in AirDrop, which lets users share files from one iOS device to another. He found the bug let him repeatedly sent files to all devices able to accept files within wireless range of an attacker.
When a file is received, iOS blocks the display until the file is accepted or rejected. But because iOS didn’t limit the number of file requests a device can accept, an attacker can simply keep sending files again and again, repeatedly displaying the file accept box, causing the device to get stuck in a loop.
Using an open source tool, Bagaria could repeatedly send files again and again to not only a specific target in range, but every device set to accept files in wireless range.
Bagaria calls the bug “AirDoS,” the latter part is short for “denial-of-service,” which effectively denies a user access to their device.
Devices that had their AirDrop setting set to receive files from “Everyone” were mostly at risk. Turning off Bluetooth would effectively prevent the attack. But Bararia said that the file accept box is so persistent it’s near-impossible to turn off Bluetooth when an attack is under way.
The only other way to stop an attack? “Simply run away,” he said. Once a user is out of wireless range of the attacker, they can turn off Bluetooth.
“I’m not sure how well this’d work in an airplane,” he joked.
Apple fixed the bug by adding a rate-limit, preventing a barrage of requests over a short period of time. Because the bug wasn’t strictly a security vulnerability, Apple said it would not issue a common vulnerability and exposure (CVE) score, typically associated with security-related issues, but would “publicly acknowledge” his findings in the security advisory.