Install the latest iOS 13.3 update or you could fall victim to an AirDoS attack
There are lots of reasons why you might want to upgrade your iPhone with the newly released iOS 13.3 update. Maybe you are concerned about having better parental control over screen time for your kids when they are using FaceTime or Message. Perhaps the addition of support for security keys such as the YubiKey 5Ci is high on your list. Not as well reported as these feature updates, but way more important it would seem to me, is the small matter of iOS 13.3 fixing a bug that could let someone nearby lock you out of your iPhone by forcing it into an inescapable display blocking loop. Not as well reported, maybe, because Apple didn't classify this as a common vulnerability and exposure (CVE) worthy security vulnerability. Instead, the iOS 13.3 security content update advisory from Apple opted to just acknowledge the security researcher who uncovered the bug for his assistance without giving any further details about the fix or the bug involved.
How can a nearby attacker lock you out of your iPhone?
According to a report published by TechCrunch, a security researcher by the name of Kishan Bagaria uncovered a bug in the AirDrop file transfer feature that was introduced in iOS 7. The denial-of-service bug, which Bagaria calls AirDoS, enables an attacker to effectively spam any and all nearby iPhones with an AirDrop sharing popup box.
Here's the thing, because iOS will block the display on the iPhone until the file being sent via the AirDrop service is either accepted or rejected, if an AirDoS attacker keeps sending files repeatedly then this locks the user out of their device. Locking and unlocking your iPhone will not get you back in either, as the AirDoS attack is as persistent as it is frustrating.
This popup loop lockout attack is not even limited to a single targeted iPhone. Bagaria found that by using a readily available open-source tool, he could perform the attack on all iPhones that were within wireless range.
AirDrop AirDoS iPhone attack mitigation
Bagaria noted that for the attack to be successful, the target iPhones would need to have the AirDrop settings configured to receive files from "everyone" rather than "contacts only." So there is mitigation number one, set it to contacts only. This wouldn't stop someone in your contacts from being able to lock you out of your iPhone, though.
Bagaria also said that running away will stop the attack, assuming you have the option of getting out of range that is. Equally effective is turning off the AirDrop feature or disabling Wi-Fi and Bluetooth. Which might be problematical if you are locked out of your iPhone, you'd think. However, if you have access to the device Control Centre from the lock screen, it's possible to do so. Using Siri to disable connectivity should also work.
The best solution is to update to iOS 13.3 as this has fixed the bug by applying a rate limit that automatically declines the AirDrop requests after the user has declined three in a row from the same device. If your iPhone is compatible with iOS 13.3, then it's the option to use. At least the update will be available, and trouble-free, to users of most recent iOS devices. Unlike Android users who found that the security fix for a current camera app security threat wasn't readily available for some brand new flagship smartphones, or Windows 10 users who were told, by Microsoft, not to install one update it had just released.
Jonathan Knudsen, a senior security strategist at Synopsys, said that "given the complexity of iOS and the app ecosystem, it's inevitable that vulnerabilities such as this will continue to be found and fixed." It's not always going to be possible for Apple to uncover vulnerabilities such as AirDoS, even if it does insist it's not one, before a significant operating system release. I'm concerned that it took quite so long for Apple to address this particular "bug" as Bagaria first reported it in August, 2019. The fix was finally made available in the iOS 13.3 public beta 2 release in November. "If there is a silver lining for this vulnerability," Knudsen said, "it's that it requires physical proximity, which at least means you cannot be attacked from anywhere on the internet."
