“Killer text bomb” crashed iPhones, iPads, Macs, and Apple Watches

Apple has confirmed that it is working on a bug fix that will stop apps like Messages from crashing when they attempt to display a Unicode symbol representing a letter from the south Indian language of Telugu.

The Unicode-based bug has been exploited by juvenile pranksters, who posted app-crashing messages on Twitter, WhatsApp, Instagram, and Facebook, or even changed their screenname to one which contained the symbol.

The symbol, which I won’t repeat here for fear of crashing readers’ apps (trust me.. while writing this article I managed to bork my browser once at twice), can cause iPhones, iPads, Apple Watches and even Apple TV devices to endlessly reboot themselves if received in a notification. If you’re curious there’s a good write-up about it on Mozilla engineer Manish Goregaokar’s blog.

One security researcher demonstrated that it was possible to make macOS network applications crash by creating a Wi-Fi hotspot which included the offending symbol.

Yet another security researcher reported that he had changed his Uber name to the symbol. When he requested a ride, he effectively denial-of-serviced drivers in his area.

Which I’m sure is very funny… if you’re not an Uber driving attempting to earn an honest living.

By Friday evening, Twitter was clearly fed up enough with the abuse that it began to filter out messages using the character:

“This request looks like it might be automated. To protect our users from spam and other malicious activity, we can’t complete this action right now. Please try again later.”

A good step by them, but the only real solution is for Apple to patch its operating systems.

Apple customers have had plenty of encounters with text bombs in the past.

For instance, in 2013 it was found that Macs and iPhones could be crashed by a simple string of Arabic characters, and in 2015 an attack dubbed “Effective Power” saw a sequence of characters allow mischief-makers to remotely reboot iPhones.

And just last month, a malicious link known as the “ChaiOS bug” was found to be capable of crashing devices running iOS and macOS.

Apple rolled out patches for these past vulnerabilities, and it has been confirmed that this latest text bomb has already been fixed in the current beta versions of iOS, macOS, watchOS, and tvOS. So, if you are unable to delete the offending messages, you have a choice – either wait for the next update to iOS or borrow your friend’s Android smartphone.

This is a Security Bloggers Network syndicated blog post authored by Graham Cluley. Read the original post at: HOTforSecurity