Pierluigi Paganini December 12, 2019

This week, Apple addressed a flaw that can be exploited to trigger a DoS condition (AirDoS) iPhones and iPads by forcing them to continuously display a popup message.

The denial-of-service (DoS) attack was discovered by

The security researcher Kishan Bagaria devised a DoS attack dubbed the AirDoS that works against iPhone, iPad, Mac and iPod.

The AirDoS technique allows to remotely render any nearby iPhone or iPad unusable, it relies on AirDrop feature that allows iPhone, iPad, Mac and iPod users to share photos, documents, map locations, and other types of files with nearby devices via Bluetooth or Wi-Fi.

Bagaria demonstrated that it is possible to use the AirDoS attack to “infinitely spam” all nearby devices with an AirDrop popup.

“I discovered a denial-of-service bug in iOS that I’m calling AirDoS which lets an attacker infinitely spam all nearby iOS devices with the AirDrop share popup. This share popup blocks the UI so the device owner won’t be able to do anything on the device except Accept/Decline the popup, which will keep reappearing. It will persist even after locking/unlocking the device.” wrote the expert.

The expert discovered that it was possible to force nearby devices to continuously display a dialog box on their screen regardless of how many times the user presses the Accept or Decline buttons. The expert pointed out that the attack will continue even after the user locks and unlocks the device.

The attack works only if the AirDrop setting is set to “Everyone”, while if the user has set to “Contacts Only”, the issue could be exploited only by someone in his contacts.

To stop the attack, the victim needs to get out of range from the attacking device or turn off AirDrop/WiFi/Bluetooth.

“This can be done if you can access from the lock not if you have it disabled. Either way, you can ask Siri to turn off WiFi or Bluetooth. Restarting your device may also give you some time to turn AirDrop off before the attack takes place again.” continues Bagaria.

On iOS and iPadOS, users can stop an attack by disabling Bluetooth and Wi-Fi via Siri or the Control Center, but it works only if it is enabled.

To prevent this type of attack the expert suggests to turn on AirDrop only when you need it and don’t set it to “Everyone”.

The expert reported the bug to Apple in August 2019, the tech giant addressed it with the release of iOS 13.3, iPadOS 13.3, and macOS 10.15.2. Apple implemented a rate limit, this means that after declining the same device 3 times, iOS will automatically decline any subsequent requests.

Bagaria posted a PoC exploit on GitHub and the following video PoC of the attack:

Pierluigi Paganini

(SecurityAffairs – AirDoS, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]