Apple has fixed a bug in iOS 13.3, out today, which let anyone temporarily lock users out of their iPhones and iPads by forcing their devices into an inescapable loop.
Kishan Bagaria found a bug in AirDrop, which allows users to share files between iOS devices. He found the bug let him repeatedly send files to all devices able to accept files within wireless range of an attacker.
When a file is received, iOS blocks the display until the file is accepted or rejected. But because iOS didn’t limit the number of file requests a device can accept, an attacker can simply keep sending files again and again, repeatedly displaying the file accept box, which causes the device to get stuck in a loop.
Using an open-source tool, Bagaria could repeatedly send files again and again to not only a specific target in range, but to any device set to accept files within wireless range.
Bagaria calls the bug “AirDoS,” the latter part is short for “denial-of-service,” which effectively denies a user access to their device.
Devices that had their AirDrop setting set to receive files from “Everyone” were mostly at risk. Turning off Bluetooth would effectively prevent the attack, but Bagaria said that the file accept box is so persistent it’s near-impossible to turn off Bluetooth when an attack is under way.
The only other way to stop an attack? “Simply run away,” he said. Once a user is out of wireless range of the attacker, they can turn off Bluetooth.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
“I’m not sure how well this’d work in an airplane,” he joked.
Apple fixed the bug by adding a rate-limit that prevents a barrage of requests over a short period of time. But because the bug wasn’t strictly a security vulnerability, Apple said it would not issue a common vulnerability and exposure (CVE) score, typically associated with security-related issues, instead “publicly acknowledge” Bagaria’s findings in the security advisory.
