It has been reported that Apple has fixed a bug in iOS 13.3, out yesterday, which let anyone temporarily lock users out of their iPhones and iPads by forcing their devices into an inescapable loop. Kishan Bagaria found a bug in AirDrop, which allows users to share files between iOS devices. He found the bug let him repeatedly send files to all devices able to accept files within wireless range of an attacker. When a file is received, iOS blocks the display until the file is accepted or rejected. But because iOS didn’t limit the number of file requests a device can accept, an attacker can simply keep sending files again and again, repeatedly displaying the file accept box, which causes the device to get stuck in a loop.
Software security is all about protecting confidentiality, integrity, and availability. In this case, the convenience of the AirDrop feature is hijacked to deny the availability of the entire iPhone. Given the complexity of iOS and the app ecosystem, it\’s inevitable that vulnerabilities such as this will continue to be found and fixed. For manufacturers such as Apple, finding and fixing as many vulnerabilities as possible before release is ideal. Some vulnerabilities will always remain undetected, however, so it is important to respond promptly. If there is a silver lining for this vulnerability, it\’s that it requires physical proximity, which at least means you cannot be attacked from anywhere on the Internet. As users, the best way to protect yourself is to be diligent about installing updates.