The Mac Security Blog

Apple + Recommended + Software & Apps

Watch Out! This Boobytrapped Text Message Will Turn Off Your iPhone

Posted on May 27th, 2015 by

Watch out! This boobytrapped text message will turn off your iPhone

If you send a specific string of symbols and Arabic characters to another iPhone user, you can really ruin their day.

The problem, which occurs when you receive a notification of a new iMessage either on a locked iPhone or as a drop-down iOS notification, causes iPhones to restart, and is preventing some users from accessing other legitimate messages that have been sent to them.

The sequence of characters needed to remotely reboot an iPhone was posted on Reddit, and — for understandable reasons — has spread like wildfire across the Internet via social networking iPhone users.

Twitter users share the malicious iPhone text message

The following YouTube video shows you what happens (so you don’t have to try it for yourself):

The problem appears to be associated with how iOS’s banner notifications and Messages app handle the Unicode characters in the boobytrapped message. Clearly, your poor little iPhone has a brainstorm, not knowing how to handle the display of the non-alphabetical characters properly and decides the best policy is to quietly fall over, restarting your “smartphone.”

If Apple’s engineers had properly handled the exception error caused by the clearly unexpected unicode characters, then things would have been a whole lot more graceful.

For anyone who is having trouble getting their iPhone to work again properly, MacRumors has some suggestions on how to get back into your Messages app. Of course, there’s nothing stopping someone from sending you the message again. Sigh…

However, if your iPhone is getting bombarded with the new Unicode crash message, security guru Mikko Hypponen tweeted this recommendation:

This is a salutary reminder that all complex code contains bugs and flaws — some more serious than others — and even a shiny new Apple device may have lurking within it undiscovered vulnerabilities that others could exploit if they were so minded.

According to some reports, the current “message of death” has been present since iOS 6.0. Now, of course, the onus is on Apple’s engineers to release a security update as quickly as possible — before too many people start pranking each other by remotely rebooting iPhones through malicious messages.

If nothing else, as this Twitter user commented, at least it gives everyone who doesn’t own an iPhone a reason not to feel envious of their Apple-loving friends.

Tweet from a non-iPhone user

What makes this somewhat embarrassing for Apple is that it has been bedevilled in the past with problems associated with — yes, you guessed it — Arabic characters crashing devices. In fact, back in August 2013, both iOS and OS X had been vulnerable to just such a flaw.

More recently, Apple released iOS 8.2 earlier this year, fixing another vulnerability that allowed attackers to restart your iPhone with a malicious Flash SMS.

It seems to me that Apple’s team needs to spend a little more time recognising that they have failed to properly handle these kind of flaws, and that they keep cropping up. Clearly it needs to be more diligent in the future to prevent reoccurrences.

Apple is surely aware of this latest incarnation of the problem, so don’t be surprised if a security update is rolled out in the near future. But I wonder if it’s the last we’ve heard of this kind of bug?

Update, July 1: Apple rolled out a security update with the release of iOS 8.4, fixing this bug, as well as a wide range of other issues affecting iOS devices. For more details, see: iOS 8.4 Update Fixes Text Message Bug Causing iPhones to Restart.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →