AirDrop Vulnerability Enabled DoS Attacks on iPhone and iPad

This week, Apple engineers fixed a vulnerability that could render iPhones and iPads nearly unusable by causing the devices to display a constant pop-up message. The denial-of-service (DoS) issue was discovered by researcher Kishan Bagaria, who named the attack method “AirDoS” because it directly involved the AirDrop feature.

AirDrop allows users of iPhone, iPad, Mac, and iPod to share photos, documents, and other types of files with nearby devices via Bluetooth or Wi-Fi. Bagaria found that an attacker could use AirDrop to endlessly spam all nearby Apple devices. The pop-up dialog would appear on the screen no matter how many times the user pressed “Accept” or “Decline.” The attack would continue even after the user locked and unlocked the device. A proof-of-concept video demonstrating the issue was also released.

How the AirDoS Attack Worked

The AirDoS attack worked against any device where AirDrop was set to receive files from everyone. If file sharing was limited to contacts only, the attacker needed to be in the victim’s contact list for the attack to work.

According to the researcher, AirDoS also affected macOS devices, but the impact was less severe because the AirDrop dialog does not block the user interface, allowing the victim to easily turn off Wi-Fi or Bluetooth. The attack could also be stopped simply by leaving the range of the attacker’s device. On iOS and iPadOS, users could halt the attack by disabling Bluetooth and Wi-Fi through Siri or the Control Center.

Apple’s Response and Fix

Apple did not assign a CVE identifier to this vulnerability but fixed the issue in iOS 13.3, iPadOS 13.3, and macOS 10.15.2. The company implemented a special limiting mechanism: if a user declines three AirDrop requests in a row, the operating system will automatically reject all subsequent requests from that device.