What if you could walk into a room and make every* iPhone or iPad unusable while you're there? Wait, that sounds evil. What if you could get that one annoying person off their iPhone who's always on it?
I discovered a denial-of-service bug in iOS that I'm calling AirDoS which lets an attacker infinitely spam all nearby iOS devices with the AirDrop share popup. This share popup blocks the UI so the device owner won't be able to do anything on the device except Accept/Decline the popup, which will keep reappearing. It will persist even after locking/unlocking the device.
*This bug is still subject to the AirDrop receiving setting, meaning if your AirDrop setting is set to "Everyone", anyone can be the attacker, but if it's set to "Contacts Only", only someone in your contacts can be the attacker.
Besides getting away from the attacker, who is also unidentifiable most of the time, you can stop this by turning off AirDrop/WiFi/Bluetooth. This can be done if you can access Control Center from the lock screen but not if you have it disabled. Either way, you can ask Siri to turn off WiFi or Bluetooth. Restarting your device may also give you some time to turn AirDrop off before the attack takes place again.
I've posted my PoC exploit on GitHub. It supports multiple devices but deliberately doesn't support devices that have their AirDrop receiving setting set to "Contacts Only" to reduce the impact of publicly posting the exploit.
Huge thanks to Milan Stute and Alexander Heinrich, for authoring opendrop which powers the exploit and which originally inspired me to try this out (literally found it after five minutes of playing with opendrop).
macOS shows the AirDrop share popup differently than iOS and doesn't block the UI. An attacker could still send a lot of share requests to spam someone but since the UI is non-blocking, they can easily turn off AirDrop or WiFi/Bluetooth. Here's a video of how it looks like on macOS.
2019-11-15: Apple replied: "We would appreciate it if you can withhold public discussion of this issue until the security update is released to our customers. The security update is currently planned for mid-December 2019."
There are lots of reasons why you might want to upgrade your iPhone with the newly released iOS 13.3 update. Maybe you are concerned about having better parental control over screen time for your kids when they are using FaceTime or Message. Perhaps the addition of support for security keys such as the YubiKey 5Ci is high on your list. Not as well reported as these feature updates, but way more important it would seem to me, is the small matter of iOS 13.3 fixing a bug that could let someone nearby lock you out of your iPhone by forcing it into an inescapable display blocking loop. Not as well reported, maybe, because Apple didn't classify this as a common vulnerability and exposure (CVE) worthy security vulnerability. Instead, the iOS 13.3 security content update advisory from Apple opted to just acknowledge the security researcher who uncovered the bug for his assistance without giving any further details about the fix or the bug involved.
According to a report published by TechCrunch, a security researcher by the name of Kishan Bagaria uncovered a bug in the AirDrop file transfer feature that was introduced in iOS 7. The denial-of-service bug, which Bagaria calls AirDoS, enables an attacker to effectively spam any and all nearby iPhones with an AirDrop sharing popup box.
Here's the thing, because iOS will block the display on the iPhone until the file being sent via the AirDrop service is either accepted or rejected, if an AirDoS attacker keeps sending files repeatedly then this locks the user out of their device. Locking and unlocking your iPhone will not get you back in either, as the AirDoS attack is as persistent as it is frustrating.
This popup loop lockout attack is not even limited to a single targeted iPhone. Bagaria found that by using a readily available open-source tool, he could perform the attack on all iPhones that were within wireless range.
Bagaria noted that for the attack to be successful, the target iPhones would need to have the AirDrop settings configured to receive files from "everyone" rather than "contacts only." So there is mitigation number one, set it to contacts only. This wouldn't stop someone in your contacts from being able to lock you out of your iPhone, though.
Bagaria also said that running away will stop the attack, assuming you have the option of getting out of range that is. Equally effective is turning off the AirDrop feature or disabling Wi-Fi and Bluetooth. Which might be problematical if you are locked out of your iPhone, you'd think. However, if you have access to the device Control Centre from the lock screen, it's possible to do so. Using Siri to disable connectivity should also work.
The best solution is to update to iOS 13.3 as this has fixed the bug by applying a rate limit that automatically declines the AirDrop requests after the user has declined three in a row from the same device. If your iPhone is compatible with iOS 13.3, then it's the option to use. At least the update will be available, and trouble-free, to users of most recent iOS devices. Unlike Android users who found that the security fix for a current camera app security threat wasn't readily available for some brand new flagship smartphones, or Windows 10 users who were told, by Microsoft, not to install one update it had just released.
Jonathan Knudsen, a senior security strategist at Synopsys, said that "given the complexity of iOS and the app ecosystem, it's inevitable that vulnerabilities such as this will continue to be found and fixed." It's not always going to be possible for Apple to uncover vulnerabilities such as AirDoS, even if it does insist it's not one, before a significant operating system release. I'm concerned that it took quite so long for Apple to address this particular "bug" as Bagaria first reported it in August, 2019. The fix was finally made available in the iOS 13.3 public beta 2 release in November. "If there is a silver lining for this vulnerability," Knudsen said, "it's that it requires physical proximity, which at least means you cannot be attacked from anywhere on the internet."
A rugpull is the term that has been popularized to describe the Web3 / DeFi equivalent of what we would call, in traditional financial systems, a Ponzi scheme; a related concept is that of "pumping and dumping". Let's dig into this a bit.
There isn't just one token or cryptocurrency per blockchain. In fact, the Ethereum blockchain has on it an incredible number of cryptocurrencies, and creating a new one is a fairly straightforward procedure. Not only are they easy to create, but you can name them whatever you want, which can make identifying legitimate tokens particularly difficult.
Those who speculate in cryptocurrencies will often engage in 'pumping and dumping', i.e. buying lots of a particular token in order to drive the price up, then selling them for a profit. This simple mechanism is taken to a whole other level when an individual or group of individuals creates a token simply for the purpose of extracting value.
Airdrops have a rich and storied history on Web3, and are a great tool for creators of a new project to get their token into the hands of users, and a great opportunity for Web3 participants to benefit from being present in the ecosystem.
Unfortunately, airdrop scams are an attack vector that are actively being developed, and novel exploits of smart contract code could cause new types of scams to appear. That said, here is a common pattern:
If you notice suspicious items in the 'NFTs' tab that you did not purchase, looking more like an ad than digital art, and informing you that you can claim your airdrop by clicking on the link to their website, do not do what they say. This is an emerging scam method, and the website is most likely phishing for your Secret Recovery Phrase. It's best not to interact with the NFT at all, hide it, or add it to the'suspicious' NFTs list in your Portfolio.
While you should make a habit out of checking the contents of your wallet address on a block explorer, take a deep breath before acting on anything you learn there. Remember: tokens can be faked. Check the issuing smart contract address against the address of the legitimate token. Do your due diligence; you are the custodian of your tokens.
Following up on my post on browser privacysettings, here's a brief rundown of all the knobsI've turned on my iPhone in an attempt to improve mysecurity and privacy on this device. If you haveadditional recommendations, please let me know via email oronTwitter.
Let's go through them in the order the menus areshown under 'Settings'. I'll skip over any submenuthat's not security- or privacy-related. If you wantto play along, unlock your iPhone, tap 'Settings', andthen...
Tap your name to reach settings for Apple ID,iCloud, iTunes & App Store. UnderPassword & Security, enableTwo-Factor Authentication and set aRecovery Key. Store the recovery key in yourpassword manager.
Toggle Bluetooth off. I rarely needBluetooth, and have no problem explicitly turning iton (e.g. via Control Center / swipe-up) when needed.The tricky part here is that OS updates frequentlyre-enableBluetoothagainand again,so periodically check if it's still off. (Here are afewreasonswhy you want it off by default.)
Notifications: I have almost allnotifications turned off. This not only seemslike a much healthier approach to carrying around aconstant-interrupt-machine, but it also avoids leakingprivate information on your lock screen. For appsthat I do allow notifications, I usually have those toonly show previews when unlocked, to not bepersistent, and to have history turned off.
Software Update: always a goodidea to check for updates. I'm subscribed to Apple's security-announcemailing list, so when I get the security advisory, Iusually go and update my phone right away.
795a8134c1