Following the news that an iOS bug lets people crash others' iPhones by sending them one line of text Mark James, security specialist at ESET and Tim Erlin, director products at Tripwire explain how it works and what the user can do.
Mark James, security specialist at ESET: “These type of “Bugs” have been around since the birth of operating systems(OS). When the OS tries to interpret something it cannot understand or fully achieve it has a few options open to it. One of those options is a reboot. I am sure we have all had our desktop machines reboot after a seemingly random event has triggered the dreaded reboot. These mobile computers we call phones today have the same core instructions – if all else fails then reboot. This bug manifests itself when banner notifications are switched on for SMS messages and then displayed on your phone. The resulting action (SMS display) is not able to be fully displayed, thus a reboot is the only option. This does not necessarily mean it’s a security flaw or indeed an exploitable bug but Apple will none the less try and rectify this as soon as they possibly can.”
Tim Erlin, Director of Product Management at Tripwire: “This is essentially a remote denial of service vulnerability, using SMS as the vector. The ability to remotely disable someone’s iPhone could be useful in targeted attacks. Imagine if an organisation's information security team was suddenly unable to communicate while an attack on their organisation was being carried out. There are likely other ways to exploit this vulnerability, though it’s unclear if they might be useful to attackers. The libraries used for parsing text are unlikely to be specific to the messaging app, and so the issue may appear in other places. Time will tell if security researchers or Apple discover them first.”