With today’s release of iOS 13.3, Apple fixed a bug which let strangers lock up an iPhone or iPad using the file send feature, AirDrop.
According to TechCrunch, the bug was discovered by Kishnan Bagaria, who said it could allow someone to send unlimited AirDrop files to an iPhone or iPad, rendering the device useless temporarily, similar to a denial of service attack.
Dubbed “AirDoS”, the bug affected users who had their AirDrop settings to accept files from “Everyone”. To combat the bug, one could have disabled Bluetooth but not during the process because the incoming notifications are too persistent.
TechCrunch writes, “Apple fixed the bug by adding a rate-limit that prevents a barrage of requests over a short period of time. But because the bug wasn’t strictly a security vulnerability, Apple said it would not issue a common vulnerability and exposure (CVE) score, typically associated with security-related issues, instead “publicly acknowledge” Bagaria’s findings in the security advisory.”
According to Bagaria’s timeline of the issue, he first sent a report to Apple about the bug on August 19 of this year. Apple didn’t respond until Bagaria asked for a status update, on October 3.
Eleven days later, Apple said they would be addressing the issue in iOS 13. One day later, Apple asked Bagaria if he could “withhold public discussion” regarding the bug until iOS 13.3 was released in mid-December.
The Apple support document on the security content of iOS 13.3 says near the bottom under the heading ‘Accounts’, “We would like to acknowledge Kishan Bagaria (KishanBagaria.com) and Tom Snelling of Loughborough University for their assistance.”
Check out a demo of the attack below:
