Apple released iOS 13.3 and iPadOS 13.3 to the public today. In addition to the new features and customization options we detailed earlier, the update also includes an important security fix for an AirDrop vulnerability that allowed an attacker to “remotely render any nearby iPhone or iPad unusable.”
Ecobee HomeKit Thermostat
The vulnerability was discovered by Kishan Bagaria, who reported it to Apple in August. Apple acknowledged that it was working on a fix for the vulnerability in November, and asked that Bagaria not disclose the issue until iOS 13.3 was released to the public.
The denial-of-service bug in question allowed an attacker to spam all nearby iOS devices with files via AirDrop. Because the AirDrop popup takes over the full iOS and iPadOS UI, users are forced to either accept or decline the AirDrop request. Therefore, as an attacker spams someone AirDrop notifications, that person can no longer do anything on their iPhone or iPad.
You can see a video of the bug in action below. Here’s how Bagaria describes the denial-of-service bug:
I discovered a denial-of-service bug in iOS that I’m calling AirDoS that lets an attacker infinitely spam all nearby iOS devices with the AirDrop share popup. This share popup actually blocks the UI so the device owner won’t be able to do anything on the device except Accept/Decline the popup, which will keep reappearing. It will persist even after locking/unlocking the device.
iOS 13.3 and iPadOS 13.3, released today, fix this vulnerability. Bagaria says that Apple’s solution was to implement a rate limit. This means that after you decline an AirDrop request from the same device three times, iOS will automatically decline any subsequent requests.
You can find the full details of the bug on Bagaria’s blog.