One of Apple’s drawbacks this week is that iPhones and iPads can not be used by constantly showing a popup message.
Researcher Kishan Bagaria invented the denial-of-service (DoS) attack, which he called the AirDoS approach because it relies on AirDrop.
AIRDROP allows iPhone, iPad, Mac and iPod users, via Bluetooth or Wi-Fi, to share photos, documents and other file types with neighboring phones.
Bagaria has found that the AirDoS attacker can use all nearby iPhones and iPads with an AirDrop popup to “infinitely spam.” The dialog box will continue to show up on the screen, irrespective of how often the user presses Accept or Decline. Even after user locks and unlocks the phone, the attack will continue.
The attack works on all devices which have configured AirDrop to accept files from “Anyone.” The attacker must be on the victim’s contact list if AirDrop is set to “Contacts only.”
Bagaria has said that an attack from AirDoS still works against macOS phones, but the effect is less serious, because the AirDrop dialog doesn’t block the user interface.
Attacks can also be avoided when the attacking system is disabled. Users can stop the attack on iOS and iPadOS by disabling Bluetooth and Wi-Fi via Siri or the control center, if enabled. Attacks can be avoided if AirDrop is not designed to accommodate anybody’s files.
Apple did not give this fault a CVE ID, but it did give Bagaria credit in its advisories. In iOS 13.3, iPadOS 13.3 and macOS 10.15.2, Apple addressed the problem. If you’re using iOS, iPadOS— and possibly also MacOS — Apple has implemented a speed control mechanism, and the operating systems automatically decline all subsequent requests from that device if a user declines three requests from a device.
Bagaria released a proof-of-concept exploit (PoC) and a video that shows how the attack Works.