SMS Crashes Thousands of iPhones

Bug in iOS Unicode processing is at the root of the problem

A new form of SMS messaging threat is capable of immediately crashing an iPhone, iPad, or iPod upon opening the message. The message threat comes as a specific string of Arabic characters that can be sent via iMessage or text message. When the message is received it instantly crashes the device and causes it to reboot. Analysis of the mechanism revelas that the attack leverages a glitch in the way Apple’s iOS renders Arabic text.

Apple devices render characters in Unicode – a coding standard that provides a unique number for every character, regardless of platform, program, or language. The problem arises when the OS can’t process a specific string of characters--so, it simply shuts down.  In comparison to the other types of SMS messaging threats, this attack message does not normally exist for monetary gain.

It is a malicious message with a sole focus of corrupting the end user’s device. However, there is a security concern that a hacker can leverage this issue to execute immediate denial of service attacks, and that any business with a heavy reliance on iOS could be targeted and blocked from their own devices within a matter of seconds. SMS attack messages are not new.

In 2010 there was the (in)famous SMS of Death, and even before that there was the Curse of Silence, both types involved messages with particular formatting that would cause the handset to either crash or be unable to receive SMSs.

Apple itself has not been immune to problems with handling of SMS before, in the past it incorrectly displayed the sender of certain types of SMS to be anything that an attacker wanted it to be. But the ease of this vulnerability, not requiring special SMS or telecom skills is what makes it more impactful.

Add new comment