Apple fixed a bug in its file-swapping feature AirDrop, Tuesday, which allows nearby hackers to render iPhones and iPads inoperable. The bug opens the door for a type of denial-of-service attack, allowing an attacker to infinitely spam all nearby iPhones and iPads with AirDrop share popup notifications, according to the researcher who found it.
“This share popup blocks the UI so the device owner won’t be able to do anything on the device except Accept/Decline the popup, which will keep reappearing. It will persist even after locking/unlocking the device,” wrote independent researcher Kishan Bagaria in a post outlining his discovery.
The Apple fix was delivered Tuesday along with dozens of other fixes for everything from Apple Watch, iOS and macOS Catalina.
Bagaria is calling the flaw AirDoS, a play on the Apple feature name AirDrop and DoS (Denial of Service). AirDrop is a feature in iOS and macOS that allows the transfer of files using either Wi-Fi or Bluetooth. “When someone shares something with you using AirDrop, you see an alert with a preview. You can tap Accept or Decline,” Apple describes on its support page.
“This bug is still subject to the AirDrop receiving setting, meaning if your AirDrop setting is set to ‘Everyone’, anyone can be the attacker, but if it’s set to ‘Contacts Only’, only someone in your contacts can be the attacker,” Bagaria wrote.
Besides updating to the latest version of iOS 13.3 to fix the issue, Bagaria said users can simply turn off the AirDrop feature in Settings. To stop an active attack, he suggests asking Siri to turn off your iPad or iPhone’s Wi-Fi and Bluetooth radios.
The researcher said he reported the bug to Apple in August and it was fixed in the most recent iOS update (13.3). A proof-of-concept of the attack is posted to GitHub and a video of the attack in action is available on YouTube.
Apple Watch 6.1.0 users are also being urged to update their hardware to the latest 6.1.1 version of the watchOS software after researchers found six high-severity bugs in the mobile operating system.
If left unpatched, Apple cautions attackers could create memory corruption issues on targeted Apple Watches and exploit vulnerabilities to gain system privileges or kernel privileges.
The attack complexity for the six bugs is “low” according to each of the Common Vulnerabilities and Exposure (CVE) descriptions – meaning the attacks would not be hard to execute.
“By using a specially crafted application, an attacker could exploit this vulnerability to gain kernel privileges,” according to the CVE description for the bug tracked as CVE-2019-8828. Like the other watchOS bugs, this memory corruption flaw has a CVSS 3.0 base score of 7.8.
The fix, in all of the watchOS cases, is to upgrade to watchOS 6.1.1.
On Tuesday, Apple also fixed a bevy of issues with its new versions of iOS and macOS.
Fixes include one tied to FaceTime (CVE-2019-8830). The bug, according to Apple, could allow for the processing of a malicious video via FaceTime, which could lead to arbitrary code execution. The bug, found by Natalie Silvanovich of Google Project Zero, is classified as an “out-of-bounds read” flaw that was addressed with improved input validation.
Another bug (CVE-2019-8857) was patched in Apple’s Live Photos feature impacting iOS users of iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later and iPod touch 7th generation. “Live Photo audio and video data may be shared via iCloud links even if Live Photo is disabled in the Share Sheet carousel,” wrote Apple.
Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.