Over the past 18 hours, we have seen a new form of SMS messaging attack that immediately crashes your iPhone, iPad or iPod upon opening the message. The message comes as a specific string of Arabic characters that can be sent by anyone via iMessage or text message.
The Arabic string responsible is:
لُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ 冗
Reddit users discovered the bug this morning and since then it seems to be spreading around the globe. When the message is received it instantly crashes the device and causes it to reboot, according to news reports it appears that the attack is a glitch in the way Apple’s iOS renders Arabic text. Apple devices render characters in Unicode – a coding standard that provides a unique number for every character, regardless of platform, program, or language - making it easier for them to display and process the thousands of different characters from across the world. Basically, the problem arises when they can’t process a specific string of characters; this bug is uninterpretable and because the operating system cannot understand and decide how to decode it, it simply shuts down. Reddit reports that its due to how: the banner notifications process the Unicode text. The banner attempts to present the incoming text and then gives up. The solution of course, is for Apple to issue an update to the iOS so that they don't react in this manner.
As the problem is on-going, we implemented blocking of these types of messages in our customer operator base, to ensure that subscribers would not be affected. As may have been predicted, it looks like many people have jumped on this opportunity to cause problems for their contacts. So far today in North America alone, we've detected and blocked many tens of thousands of people attempt to send over a quarter of a million of these SMS messages to their 'friends'. The volumes in some cases are staggering, in one case one individual attempted to send the message nearly 900 times in a 30 minutes period!. While the vast majority of these are probably pranksters, one security concern here is that a hacker can leverage this issue to execute immediate denial of service attacks, and that any business with a heavy reliance on iOS could be targeted and blocked from their own devices within a matter of seconds.
While we continue to block and track the scale of attempted mis-use of these messages, some good information has been shared on how to deal with the message if you receive it. When the text message is displayed by a banner alert or a notification on the lock screen it immediately crashes your device. In order to regain access to your device, the Verge has reported that you need to respond to the sender. If the message was sent from one iMessage user to another (and you own a Mac), you can log into your iMessages on your computer and send a reply. If your iPhone is the only Apple device you have, you can send a reply through the share sheet – this is the box that comes up enabling you to share a photo or link through mail, iCloud, or messaging.
The final workaround is requesting that the person who sent you the malicious message send another message, effectively cancelling out the malicious strand.
In comparison to the other types of SMS messaging threats, like bank phishing attacks, that we normally see, this specific type of messages is termed an attack message and does not normally exist for monetary gain – it is a malicious message with a sole focus of corrupting the end user’s device. These types of SMS attack messages have existed before of course - all with somewhat scary titles. In 2010 there was the (in)famous SMS of Death, and even before that there was the Curse of Silence, both types involved messages with particular formatting that would cause the handset to either crash or be unable to receive SMSs . Apple itself has not been immune to problems with handling of SMS before, in the past it incorrectly displayed the sender of certain types of SMS to be anything that an attacker wanted it to be. But the ease of this vulnerability, not requiring special SMS or telecom skills is what makes it more impactful.
While we wait for Apple to make an update that will deal with this issue, we’re continue to monitor and block these malicious messages within our customer base. One thing is for certain - based on what we have seen - the number of people receiving this message are going to be very large, and the impact sizable.
Many thanks to Jessie Power for contributing to this blog