back to article That EVIL TEXT that will CRASH your iPhone: We pop the hood

Cads and/or bounders can crash and reboot iPhones from afar by sending them specially crafted texts, thanks to a new vulnerability in iOS. A 75-byte sequence of unicode characters triggers the glitch, and can be smuggled into text messages, causing iThings to crash if they appear in the victim's notification screen. Texting …

Andrew Jones 2

Not totally convinced that providing a handy place to grab the text so anyone can send it to all their iPhone owning friends was the best idea in the world. It only works if it is formatted correctly across multiple lines, so reproducing the text on a single line would have been a better option (IMHO of course)

diodesign
(Written by Reg staff) Silver badge

Sadly, it's already full disclosure.

C.

Anonymous Coward
Anonymous Coward

And thats your defense for publishing it?

asdf
Silver badge

hmm

Worried about that stock price are you?

Anonymous Coward
Anonymous Coward

Full Text

And thats your defense for publishing it?

Isn't that a good enough defence?

The full text is in the wild, it is findable by a google search so not publishing it wouldn't achieve much other than forcing the curious to leave El Reg and go to Google to find it.

Publishing it, on the other hand, allows them to properly talk about the problem.

I know which seems better to me.

Destroy All Monsters
Silver badge

And thats your defense for publishing it?

Hey, Obama, don't you have a snooper's charter to push through Congress ?

InB4: "Beware the Nam-shub of Enki"

Lyndon Hills 1

Hey, Obama, don't you have a snooper's charter to push through Congress ?

Is that the translation of the message?

DJO
Silver badge

Not totally convinced that providing a handy place to grab the text

But it's not, the article has a bitmap of the text which can't be copied to unicode, to do that you'd have to know the code for each of the symbols which while not impossible is reasonably tricky, certainly harder than tracking down the offending string from another source so I'd say there's no harm done in showing the message here.

Jack Faust meets Mephistopheles

Which if you click it goes to a pastebin of the offending text.

I, for one, welcome El Reg giving us ammo to annoy our smug iBrethern. We won't send it, we'll just threaten to send it and then sign them up to Kitten facts, like we always do.

Danny 14
Silver badge

We wont send it to many people. I'll test it with (on) colleagues tomorrow.

mastodon't
Gimp

kitten facts sounds awesome

sign me up

erikj

Re: Full Text

My kids and their mates have been gleefully crashing each others iStuff all week at school -- so I'd say the vulnerability is rather well publicized in the wild. I see it as a digital (and slightly better) equivalent to smashing actual mailboxes -- and possibly just as much of a federal crime. Time to have a fatherly chat.

Google

Just tried sending it to my own iPhone using iMessage. I have a sneaking suspicion Apple is filtering iMessages as it never arrived when other messages did.

Natalie Gritpants

So some good may have come of this. If it forces Apple to admit they have the technology to examine your iMessages before you do it will help people understand their relationship with Apple a little more. Not just Apple bashing, this applies to any message service.

BigFire

The problem is not limited to iMessages. The problem is the notification. It seem to affect anything that can be display on notification screen.

Ian Michael Gumby
Silver badge
Boffin

@Natallie

Clearly you have a limited view on software development and how things work.

Your messages have to be routed to go from you to your friends' iPhones and what not.

So of course they have a way to this.

If you looked at Apple's ecosystem iStore, iCloud, etc ... all features revolve around Apple and they have a lot of potential to snoop if they so desired. It makes a lot of sense from a design perspective, and nothing to get your panties in a twist over.

Now if you wanted to talk about Google... that's a different story.

Anonymous Coward
Anonymous Coward

Re: @Natallie

> Clearly you have a limited view on software development and how things work.

And clearly you have a limited view on telecommunications and how proper systems design works.

For data to be routed, there is no need to have access to the information therein.

Surely, a "how things work"-aware type of person is already familiar with OTR?

45RPM
Silver badge

I'm getting an overpowering sense of déjà vu here. Didn't this, or something very similar, happen last year too?

Anonymous Coward
Anonymous Coward

Off by one error.

"I'm getting an overpowering sense of déjà vu here. Didn't this, or something very similar, happen last year too?"

Yes, but I think you may have an "off by one" error (2013 not 2014). They're my favourites too.

Or maybe it's 2013, 2014, AND 2015.

Either way, wtf?

Linl to El Reg 2013 article (from today's article):

http://www.theregister.co.uk/2013/09/04/unicode_of_death_crash/

See also e.g.

http://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/

"There's a new bug in town, and it's here to crash your Mac and iPhone applications. Posters in a HackerNews thread from late yesterday have discovered that it's possible to crash Web browsers and other apps running on current versions of iOS and OS X by making them render a specific, nonsensical string of Arabic characters. The title of the HackerNews thread implies that the issue is with the WebKit browser engine, but it actually affects any browser or application that uses Apple's CoreText API to render text. Ars Microsoft Editor Peter Bright has taken great pleasure in sending the text string to his co-workers, which has crashed the Limechat IRC client and Adium chat client, among other programs."

[continues]

h4rm0ny
Silver badge

Yes. A couple of years ago:

http://hexus.net/tech/news/software/59497-simple-arabic-text-string-instantly-crashes-os-x-108-ios-6-apps/

It was exactly what I thought of when I read the story. I wouldn't have thought they'd be caught out like this twice. Apple are usually better than this, but there you go...

Incidentally, El Reg. seem to be giving up any pretence of knowing parody these days and just going for direct Daily Mail style gratuitous sexualisation. Unless I'm missing some subtle relevance to the giant image of a strapless model to this article. Off-topic, yes. But then so is the photo.

Michael Wojcik
Silver badge

Apple are usually better than this, but there you go...

Unicode processing is complicated. Complicated systems are fragile.

Of course, rewriting the core Unicode processing code to do a better job of handling invalid references - more extensive pointer validation, and catching and unwinding after SIGSEGV within well-defined regions - would make it a lot more robust.

Michael Thibault
Bronze badge
Pint

Congratulations, El Reg!

Some tentacle of the Apple juggernaut appears to have acknowledged your existence--possibly validating it. And, it's beer o'clock. Go to it.

Anonymous Coward
Anonymous Coward

And you're telling me it's accidental?

* 75 specific characters

* arranged in specific way

* checks are carefully placed as though the code was hardened, but they don't do anything in this case

Not at all suspicious...

DropBear
Silver badge
Boffin

Re: And you're telling me it's accidental?

That kind of check is the sort of thing programmers drop off in their sleep without even thinking about it - it's not meant to "harden" anything, it's just a barely-more-than-nothing standard precaution handling pointers returned by some library call you just made; the implicit understanding is that the call will either fail (and therefore return a null pointer, against which you check) or else it will contain a valid address if it succeeds. They say it's not the fall that kills you but the sudden stop at the end; in this case, that sequence of instructions is that sudden stop - but the actual "cause of death" is most likely somewhere ahead, where that pointer acquires a value that's neither invalid nor valid. Either way, one should probably check the _actual_ status code returned by the call instead of relying on "oh and in case of failure also the pointer returned is NULL" (if that is even specified). It's also possible of course that the pointer is not returned by some call but computed right there on the spot - in which case the algorithm computing it is either conceptually buggy or simply making assumptions it should not make...

Anonymous Coward
Anonymous Coward

Shit happens. Hope they patch soon.

It doesn't look particularly hardened, it's just a null pointer check. It looks like we ended up with a reference to some data belonging to an object whose pointer was 0x00 - it's too late to easily check pointers by then.. I don't know anything about objective C object handling though, just a guess.

ThomH
Silver badge

Re: Shit happens. Hope they patch soon.

Speculation elsewhere that this is in part because iOS inherits NextStep's UTF-16 internal encoding and inadvertently truncates one of the 32-bit Arabic characters halfway when trying to add an ellipsis where it calculates it needs to chop the text. The effect of the invalid UTF-16 data (yes, it was validated upon receipt, but then it was broken) is an infinite loop in the decoder, which overspills the end of memory, rather than the buffer ever having been mapped at zero.

Apple doesn't put user-space memory at 0x00 since neither C nor Objective-C has a formalised syntax for optional returns so 0x00 is used for return nil/NULL.

See also: Should UTF-16 be considered harmful? on programmers.stackexchange.com, though I expect most around here won't need to.

Dan 10

Re: Shit happens. Hope they patch soon.

"most round here won't need to" - speak for yourself! :-)

I don't have a dev background, so all this is really interesting to me.

clocKwize

I love these in depth write-ups about why these kind of things happen. More of this.

Hey Nonny Nonny Mouse

Oh goody, I can see the anti Islam conspiracy theories coming anytime now...

d3vy
Silver badge

I've already been warned that it let's isis hack into my android phone.

Anonymous Coward
Anonymous Coward

just published android app to do the hard work

So you don't have to. Enjoy rebooting iphones folks...

Slabfondler

Re: just published android app to do the hard work

With that level of psychological pathology, would you not be better suited by being in politics?

h4rm0ny
Silver badge

Re: just published android app to do the hard work

What did you call your app? LetYourFriendsKnowYouAreAnIdiot-ogram ?

That's a good name for it, I think.

stucs201

I wonder...

...does this work if sent as a flash (class 0) SMS? Could cause even more confusion that way.

(flash as in the auto-displaying text messages (sometimes displayed anonymously too for even more fun))

Sceptic Tank
Terminator

Restart required

I fail to see how this will cause the sun to go dark and the stars to fall to the earth.

Open message from friend. Phone reboots. Curses uttered. Phone restarts. Remove friend from Christmas card list.

You can probably even block the sender and instruct them to solve their personal issues before you will allow them to contact you again.

Charlie Clark
Silver badge

Re: Restart required

If you can cause a system to crash you're well on the way to hacking into it.

hplasm
Silver badge
Happy

Re: Restart required

"I fail to see how this will cause the sun to go dark and the stars to fall to the earth."

Several seconds of disconnect from the Fruitiverse- it's unthinkable!!

O the huge manatee!

Anonymous Coward
Anonymous Coward

Re: Restart required

I seem to have buggered a friends phone ... They've lost ability to receive or send messages. Apples Siri fix doesn't do anything.

Hans 1
Silver badge
Coffee/keyboard

>Remove friend from Christmas card list.

EPIC

I managed to get off everybody's Christmas card list ... the cards used to take up waay too much space in the recycling bin.

EssEll
Meh

ERROR

GIVEASH1T module failed to load: closing dooowwwwnnnnnnnnn....

But seriously: I do genuinely admire the quality of the article and the effort to which the author has gone to verify this issue, so kudos for that. The fact that the issue itself is not that big a deal is why I don't really give a stuff.

James Cane

Friends Again?

"An Apple spokesman told us". Apple are speaking to the Register?

Numpty Muppet

Re: Friends Again?

Read "... an Apple genius"

Anonymous Coward
Anonymous Coward

What happens after 0x0af42d?

And can you influence it by mmaping (MAP_FIXED) a page at NULL on affected iOS or OS/X versions and putting carefully-chosen data starting at location 4?

Inquiring minds would like to know.... ;)

Ben Hodson

Is it possible that people have stumbled across a badly implemented back door ?

NSA send a specially formatted text which causes the device to take on certain behaviour ?

Afernie

"Is it possible that people have stumbled across a badly implemented back door ?"

Possible, but Hanlon's Razor applies.

Wilco

tinfoilhat=on

EssEll
Black Helicopters

You forgot your icon.

Fixed it for you.

b166er

Reading through this thread makes me suspect people with iPhones often don't have a sense of humour.

ebrelion

How can an user space app crash the whole system ?

TeeCee
Gold badge

Well the article does say that the notification screen is a core OS component, so presumably it doesn't run in user space.

Which sounds like a bit of a pig's ear in itself, if so.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018