Apple engineers this week fixed vulnerability, which allowed us to make the iPhone and iPad practically unusable, since gadgets constantly displayed a pop-up message.
The denial of service (DoS) problem was discovered by researcher Kishan Bagaria, who called the attack method AirDoS since it is directly related to the use of the AirDrop function. Let me remind you that AirDrop allows users of iPhone, iPad, Mac and iPod to share photos, documents and other types of files with nearby devices via Bluetooth or Wi-Fi.
Bagaria discovered that an attacker could use AirDrop for endless spam on all nearby Apple devices. A dialog box will appear on the screen regardless of how many times the user clicks the Accept or Reject buttons. The attack will continue even after the user locks and unlocks the device. A PoC video demonstrating the problem in action can be seen below.
The AirDoS attack worked against any devices on which users configured AirDrop to accept files from everyone. If only files from the contact list could receive files, the attacker must be on the victim’s contact list for the attack to work.
The researcher writes that AirDoS also worked by forgiving macOS-based devices, although the impact was less serious, since the AirDrop dialog box does not block the user interface, and the victim can easily turn off Wi-Fi or Bluetooth. Also, the attack could be stopped simply by leaving the attacking device's area of effect. On iOS and iPadOS, users could stop the attack by disabling Bluetooth and Wi-Fi via Siri or Control Center.
Apple did not assign a CVE identifier to the vulnerabilities, but fixed a problem in the composition iOS 13.3, iPadOS 13.3 and macOS 10.15.2. The company has implemented a special restriction mechanism, so if a user rejects three AirDrop requests in a row, the OS will automatically reject all subsequent requests from this device.