Software updates for the iPhone and iPad are packed with plenty of helpful features. The newest version of Apple's mobile platform keeps going on. Apple released iOS 13 and almost immediately released iOS 13.1 alongside iPadOS. Since the release of iOS 13, iPhones have become faster, smarter and more secure.
With the release of iOS 13.3 update, there are so many reasons why you should update your iPhone. From having better parental control over the screen time for your kids when they are using FaceTime or Message to the addition of support of security keys such as the YubiKey 5Ci. These are not significant updates one would probably appreciate. However, iOS 13.3 is fixing a bug that could let someone nearby lock you out of iPhone by forcing it into an inescapable display blocking loop. This isn't a common vulnerability. An adversary from Apple acknowledges the security researcher who uncovered the bug for his assistance without giving any further details about the fix or the bug involved.
How can a nearby hacker exploit this vulnerability
A report published by TechCrunch suggests that a security researcher by the name of Kishan Bagaria uncovered a bug in the AirDrop file transfer feature that was introduced in iOS 7. The DoS bug which Bagaria calls AirDos enables an attacker to effectively spam any and all nearby iPhones with an AirDrop sharing popup box.
iOS will block the display on the iPhone until the file being sent via the AirDrop service is either accepted or rejected. In a case where the AirDos attacker keeps sending files periodically, it then locks the user out of their device. Locking and unlocking your iPhone will not get you back in either. The persistent AirDos attack makes it frustrating. This attack is not limited to a single targeted iPhone. Bagaria found that he could perform the attack on all iPhones that in within wireless range.
How to mitigate the attack
For the attack to be successful, the target iPhone would need to have the AirDrop settings configured to receive a file from everyone rather than contacts only. You have to set it to contact only. This wouldn't stop someone in your contacts from being able to lock you out of your iPhone. Another way to mitigate this attack is by running away from the range of the hacker. Equally turning off the AirDrop feature or disabling Wi-Fi and Bluetooth. There are some many reasons why you should not leave your Bluetooth on. Also, Bagaria stated that if you have access to your device control centre from the lock screen you can disable Wi-Fi and Bluetooth even when you have been locked out. Using Siri to disable connectivity should also work.
The best solution is to update to iOS 13.3 as this has fixed the bug by applying a rate limit that automatically declines the AirDrop requests after the user has declined three in a row from the same device.