A developer discovered a way to execute a DoS attack on iOS via AirDrop. The code allows the attacker to spam all iOS devices in range with an annoying pop-up that shows up endlessly. The project received a name of AirDoS by its author Kishan Bagaria.

The code itself uses an open implementation of AirDrop that is limited to sending files to iOS devices that are discoverable by everybody only, as Contacts-Only mode requires signed certificates.

Luckily, this vulnerability was kept from the public while the developer was talking to Apple and until the fix was done. The fix is in iOS 13.3 and macOS Catalina 10.15.2.

The finding didn’t receive a CVE tag for some reason, but the developer was recognized on both Apple’s Security Update pages (iOS and macOS).