The bug, found in the AirDrop file-sharing tool, does not place limits on alerts sent by another iPhone user so the screen remains engaged by the notification until a download is accepted or rejected, giving an attacker ample opportunity to keep spamming a device and thereby blocking access.
“In this case, the convenience of the AirDrop feature is highjacked to deny the availability of the entire iPhone,” said Jonathan Knudsen, senior security strategist at Synopsys. “If there is a silver lining for this vulnerability, it’s that it requires physical proximity, which at least means you cannot be attacked from anywhere on the internet.”
The denial-of-service bug, dubbed AirDoS, “lets an attacker infinitely spam all nearby iOS devices with the AirDrop share popup,” the security researcher who discovered it, Kishan Bagaria, said in a blog post, noting he reported the find to Apple in August but didn’t go public to give the company a chance to issue a fix.
“This share popup blocks the UI so the device
owner won’t be able to do anything on the device except Accept/Decline the
popup, which will keep reappearing. It will persist even after
locking/unlocking the device,” he explained. Bagaria posted a proof
of concept after Apple released the update.
iOS 13.3 fixes the glitch and also leverages the WebAuthn standard to provide native support for security keys in compliance with FIDO. But having so many updates to iOS 13 in a such a short period of time stokes concerns that this latest update might prove buggy as well.
“Given the complexity of iOS
and the app ecosystem, it’s inevitable that vulnerabilities such as this will
continue to be found and fixed,” said Knudsen. “For manufacturers such as
Apple, finding and fixing as many vulnerabilities as possible before release is
ideal. Some vulnerabilities will always remain undetected, however, so it is
important to respond promptly.”