AirBomb - AirDrop denial of service

2019-12-10

AirDrop denial of service attack rendering an iOS device unusable until restarted.

One Sunday a couple of months ago, I was sitting on a train when all of a sudden my iPhone, and many other iPhones around me, all started pinging at the same time with the AirDrop request notification. After denying the request, it instantly popped up again, and again, and again... rendering the affected devices unusable. Even after restarting the device, the attack would start again.

After experiencing this first hand, I had a go at recreating the same attack. It was trivial - using OpenDrop, a macOS or Linux user can send and receive files via the command line using the AirDrop protocol that all iOS devices support.

Once OpenDrop is setup, the attack is as simple as running:

$ opendrop find

to find the ID of the iOS device to attack, and then:

$ while true; do opendrop send -r <DEVICE_ID> -f <FILENAME>; done

to force an infinite AirDrop request message on the device.

Using multi-threading it’s simple to run the same attack against all devices that were found in the first step.

I emailed Apple product security and after some back-and-forth a patch was introduced in the iOS 13.3 beta, whereby a device will automatically start declining requests from the same device after 3 have been manually declined.

Timeline:

See also: About the security content of iOS 13.3 and iPadOS 13.3.

Want to get in touch? You can email me at hello@tdjs.tech or message me via Twitter at @tdjsnelling.

You can also check out more work over at GitHub.