Apple has introduced iOS 13.3 and iPadOS 13.3 to the mass. Along with the new features and options for customization, the latest update also includes a significant security fix for an AirDrop bug that allowed hackers to interpret any nearby iPad or iPhone remotely.
The bug was detected in AirDrop by Kishan Bagaria, who alleged it in August. He identified that the vulnerability repeatedly sending files to all devices, and allowing to accept files within the wireless range of a hacker. Apple stated that it was working to fix the bug and requested him not to disclose the issue until iOS was unveiled.
Bagaria termed the bug “AirDoS” that is short for “denial-of-service”, which functionally restricted user access to their device.
iPhones that had their setting option - “AirDrop” - set to receive files from “everyone” was at utmost risk. Moreover, turning off your Bluetooth device would actively prevent the risk of getting hacked, but he continued that the file accept box is so determined that it is almost impossible to turn it off when an attack is underway.
Bagaria further asserted that the only way left to restrict the attack is “simply running away.” Once a user is out of wireless range of a hacker, they can quickly turn off Bluetooth.
Finally, Apple has fixed the bug in AirDrop by adding a rate-limit that avoids several requests over a short period. But the bug was not a security breach and exposure score, which is usually related to security issues, instead of a “publicly acknowledge” finding in the security advisory.
Kishan Bagaria has described the “denial-of-service” vulnerability as-
“I discovered a denial-of-service bug in iOS that I’m calling AirDoS that lets an attacker infinitely spam all nearby iOS devices with the AirDrop share popup. This share popup blocks the UI so the device owner won’t be able to do anything on the device except Accept/Decline the popup, which will keep reappearing. It will persist even after locking/unlocking the device.”
iOS 13.3 is likely to fix this bug in AirDrop. Apple has a perfect solution to impose a rate limit, added Bagaria. It indicates that after the user declines the request of AirDrop from a similar device for three consecutive times, it will automatically reject any subsequent requests.