Now-Fixed AirDrop Bug Let Anyone Lock-Up Nearby iPhones With Flood of Files

Tuesday December 10, 2019 12:19 pm PST by Juli Clover
There was a serious AirDrop bug in iOS 13.2.3 that let attackers overwhelm nearby iPhones with files, causing them to lock up, reports TechCrunch. Apple addressed the bug in the iOS 13.3 update, and the details of how it works are now public.

AirDrop is designed to allow users to share files with one another, and depending on settings, it can be restricted to contacts, no one, or any nearby iPhone. Kishan Bagaria discovered the AirDrop bug in iOS 13.2.3, finding that he could lock up nearby iPhones that were able to accept files by flooding them with multiple files in a row.


When receiving an AirDrop file, an ‌iPhone‌ or iPad blocks the display until the incoming request is accepted or rejected. iOS did not limit the number of requests that a device can accept, so with repeated message requests, an attacker was able to send files over and over again to cause the iOS device to get stuck in a loop.

Devices with AirDrop set to "Everyone" were primarily vulnerable to the attack, which is not the default AirDrop setting. AirDrop is limited to Contacts, and the "Everyone" setting must be manually enabled.

As of now, though, the bug no longer works and Apple has limited the number of AirDrop messages that can be sent to an iOS device in quick succession. Given that this wasn't a traditional security vulnerability, Apple will not provide a common vulnerability and CVE score, but has instead acknowledged it in a separate section of the security support document.

Tag: AirDrop
[ 10 comments ]

Top Rated Comments

(View all)

Avatar
SVTmaniac
6 weeks ago
I don't know if I'd call it serious. More of an inconvenience if anything. First off you'd have to be dumb enough to leave your airdrop set to everyone and then someone would have to know about the bug to send files that basically annoy you more than anything. Not like they get data off your phone or cause it to brick.
Rating: 5 Votes
Avatar
Nabby
6 weeks ago


Shoot now I can’t mess with people in public like I use to do

This is how my teenage son passes the time while waiting in pubic...He will look for "open" AirDrop iPhones and send a picture of a fish. He doesn't flood the phone, just sends it once, and then looks to see who might have noticed. He now has learned to change is phone name when someone saw the picture was from "Joe's iPhone" and called out "Joe" looking for who might respond.:)

It's amazing the number of people you find who have AirDrop wide open at a place like Disney. :rolleyes:
Rating: 5 Votes
Avatar
Jimmy Bubbles
6 weeks ago
Looks like the old concept of IM-bombs hasn't died, only reincarnated. haha!
Rating: 1 Votes
Avatar
MacBH928
6 weeks ago
ahh...the old Windows 98 pop-up trick, strikes again.

Airdrop is great technology, I wish more people used it. I hardly hear anyone does especially that it is Apple only.
Rating: 1 Votes
Avatar
roguedaemon
6 weeks ago
Here’s a suggestion; make the AirDrop dialogue more versatile.
It’s just that one popover layer that forces you to interact with it.
That’s ok I guess, But if you get sent multiple files, which one gets priority?

I propose a new dialog which appears at the top of the screen like a normal notification. Once interacted with, it would show you all incoming connections, what they are and whether you want to accept or reject each transfer. More complicated but I think if done in the Apple way would be simple and useable.

What do you lads and ladies think?
Rating: 1 Votes
Avatar
DeepIn2U
6 weeks ago


Shoot now I can’t mess with people in public like I use to do


LOL ... reminds me of 'bluetooth wardriving' way back in 2002. Go Transit .... key up a message on my Ericsson "Evening ... if you receive this message bring it to the driver for a month of free travel anywhere in the GTA" LMAO ... some cat in 1mins jump up and spoke to the driver for a lengthy 20mins LMAO! Nowadays kids would fled you with eggplant emoji (yet not the vegetable nor the emoji) :( fine lines between tom foolery vs harassment.
Rating: 1 Votes
Avatar
gnasher729
6 weeks ago

Serious-ish. :) I agree that having to set AirDrop receiving to Everyone is a huge mitigation. Only time I ever set that I change it back right after. I wish the switch to Everyone was "Everyone (for one minute)" or something like that.

Excellent idea.
Rating: 1 Votes

[ Read All Comments ]