Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
52,203
13,842



There was a serious AirDrop bug in iOS 13.2.3 that let attackers overwhelm nearby iPhones with files, causing them to lock up, reports TechCrunch. Apple addressed the bug in the iOS 13.3 update, and the details of how it works are now public.

AirDrop is designed to allow users to share files with one another, and depending on settings, it can be restricted to contacts, no one, or any nearby iPhone. Kishan Bagaria discovered the AirDrop bug in iOS 13.2.3, finding that he could lock up nearby iPhones that were able to accept files by flooding them with multiple files in a row.

airdropbug-800x779.jpg

When receiving an AirDrop file, an iPhone or iPad blocks the display until the incoming request is accepted or rejected. iOS did not limit the number of requests that a device can accept, so with repeated message requests, an attacker was able to send files over and over again to cause the iOS device to get stuck in a loop.

Devices with AirDrop set to "Everyone" were primarily vulnerable to the attack, which is not the default AirDrop setting. AirDrop is limited to Contacts, and the "Everyone" setting must be manually enabled.

As of now, though, the bug no longer works and Apple has limited the number of AirDrop messages that can be sent to an iOS device in quick succession. Given that this wasn't a traditional security vulnerability, Apple will not provide a common vulnerability and CVE score, but has instead acknowledged it in a separate section of the security support document.

Article Link: Now-Fixed AirDrop Bug Let Anyone Lock-Up Nearby iPhones With Flood of Files
 

SVTmaniac

macrumors 6502
Jan 30, 2013
369
408
I don't know if I'd call it serious. More of an inconvenience if anything. First off you'd have to be dumb enough to leave your airdrop set to everyone and then someone would have to know about the bug to send files that basically annoy you more than anything. Not like they get data off your phone or cause it to brick.
 
Comment

sdf

macrumors 6502
Jan 29, 2004
419
356
I'm surprised how often security bugs get CVE identifiers, but it's really not required. Odd that it's acknowledged under an Accounts heading. Doesn't seem account related?
[automerge]1576009874[/automerge]
I don't know if I'd call it serious.

Serious-ish. :) I agree that having to set AirDrop receiving to Everyone is a huge mitigation. Only time I ever set that I change it back right after. I wish the switch to Everyone was "Everyone (for one minute)" or something like that.
 
Comment

Nabby

macrumors regular
Jul 10, 2008
192
58
Shoot now I can’t mess with people in public like I use to do
This is how my teenage son passes the time while waiting in pubic...He will look for "open" AirDrop iPhones and send a picture of a fish. He doesn't flood the phone, just sends it once, and then looks to see who might have noticed. He now has learned to change is phone name when someone saw the picture was from "Joe's iPhone" and called out "Joe" looking for who might respond.:)

It's amazing the number of people you find who have AirDrop wide open at a place like Disney. :rolleyes:
 
Comment

lkrupp

macrumors 65816
Jul 24, 2004
1,148
1,906
So where and when did these attackers flood iPhones with files and lock them up? In your dreams or did it actually happen? As with almost all of these “serious” bugs it’s all theoretical and never happens in the real world.
 
Comment

roguedaemon

macrumors member
Apr 16, 2015
35
198
Here’s a suggestion; make the AirDrop dialogue more versatile.
It’s just that one popover layer that forces you to interact with it.
That’s ok I guess, But if you get sent multiple files, which one gets priority?

I propose a new dialog which appears at the top of the screen like a normal notification. Once interacted with, it would show you all incoming connections, what they are and whether you want to accept or reject each transfer. More complicated but I think if done in the Apple way would be simple and useable.

What do you lads and ladies think?
 
  • Like
Reactions: MacNeb
Comment

DeepIn2U

macrumors G3
May 30, 2002
8,548
3,213
Toronto, Ontario, Canada
Shoot now I can’t mess with people in public like I use to do

LOL ... reminds me of 'bluetooth wardriving' way back in 2002. Go Transit .... key up a message on my Ericsson "Evening ... if you receive this message bring it to the driver for a month of free travel anywhere in the GTA" LMAO ... some cat in 1mins jump up and spoke to the driver for a lengthy 20mins LMAO! Nowadays kids would fled you with eggplant emoji (yet not the vegetable nor the emoji) :( fine lines between tom foolery vs harassment.
 
  • Like
Reactions: iapplelove
Comment

MacBH928

Contributor
May 17, 2008
5,656
2,274
ahh...the old Windows 98 pop-up trick, strikes again.

Airdrop is great technology, I wish more people used it. I hardly hear anyone does especially that it is Apple only.
 
  • Like
Reactions: GalileoSeven
Comment

gnasher729

macrumors P6
Nov 25, 2005
17,872
5,319
Serious-ish. :) I agree that having to set AirDrop receiving to Everyone is a huge mitigation. Only time I ever set that I change it back right after. I wish the switch to Everyone was "Everyone (for one minute)" or something like that.
Excellent idea.
 
  • Like
Reactions: fredrik9
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.