iOS text message bug a nuisance, could have broader security implications
An iOS 8 bug in the Messages app causes iPhones to crash and reboot after receiving a specific string of Arabic characters.
An iOS 8 bug in the Messages app that crashes iPhones when a string of Arabic characters are sent in a message, is currently seen as little more than a nuisance with no malicious intent, but the issue could have broader security implications, according to Cathal McDaid, who heads up data intelligence and analytics at AdaptiveMobile.
“The implications of this, is that again, like other software flaws which have gained attention (Venom, Heartbleed), it involves bugs in older software routines which have been undetected until recently,” McDaid said in an email correspondence with SCMagazine.com. “The difference here is that so far there has been no malicious use identified, other than a DoS [denial of service]. But this is in itself a serious result.”
When the string of Arabic characters is sent to an iPhone, it causes the phone to crash and reboot.
So far the threat from this bug has been confined to DoS attacks, launched for “nuisance value,” and does not appear to have been used for unauthorized access or code execution, McDaid noted. “The DoS threat has been raised by the fact that it is relatively easy to implement, it affects how any text is displayed on iPhones (not just SMS, but iMessage, other messaging apps etc), and it seems other Apple devices all also affected.”
McDaid said he was surprised by how frequently the message has been sent. “We detected (and blocked) over a quarter of a million people in America attempted to send these messages, to other phones - in some cases they have sent hundreds or even thousands of messages,” he explained, but noted that the bulk of high-volume senders had “only attempted to send to a small set of receivers – although we have certainly seen some attempts to send to a much wider spread of recipients.”
He also expressed surprise “that vulnerabilities like this still exist in devices.” Pointing to the so-called "Curse of Silence" and "SMS of Death" attacks in 2009 and 2010, respectively, McDaid explained that it has been common knowledge for many years that malicious encoding of SMS/Messaging "may cause problems.”
After Apple's issues before with handling of SMS in 2012 and, a more "relevant" and recent report in 2013 about “Arabic text that caused a very similar issue in the iOS browser,” McDaid said that “it's unexpected and very surprising that the underlying CoreText issues were not addressed then by Apple.”
In a statement sent to 9to5mac.com, Apple said it is “aware of an iMessage issue caused by a specific series of unicode characters and we will make a fix available in a software update.”