Apple patched a high-severity iMessage bug found by Google Project Zero that can be exploited by an attacker who sends a specially-crafted message to a vulnerable iOS device. Those iPhones receiving the malicious message are rendered inoperable, or bricked.
Apple patched the bug with the release of iOS 12.3 on May 13, 2019. As of June, according to iOS version tracking firm Statcounter, 47 percent of iOS devices worldwide are running a vulnerable version of the iOS – 12.2 and below.
Natalie Silvanovich, the Google Project Zero researcher who is credited for the discovery (CVE-2019-8664), revealed some details for the vulnerability, per Google’s policy to disclose research findings 90 days after discovery. The bug, which was discovered in April, is described as a “malformed message” containing a text key.
By sending a specially-crafted iMessage, a remote attacker could exploit this vulnerability to cause a denial of service condition. The receiving device would be inoperable until it was reset to factory settings, wiping out the iPhone’s previous configuration and data.
“On a Mac, this causes soagent to crash and respawn, but on an iPhone, this code is in Springboard. Receiving this message will case Springboard to crash and respawn repeatedly, causing the UI not to be displayed and the phone to stop responding to input,” Silvanovich wrote.
Apple did not reply to a request for comment in time for this report.
Remediation, the research suggests, is either to wipe the device with “Find my iPhone” or “put the device in recovery mode and update via iTunes (note that this will force an update to the latest version)” or “remove the SIM card and go out of Wifi range and wipe the device in the menu.”
The proof-of-concept attack method targets IMCore, a framework used by Apple and its Messages app to communicate with other services. “A method in IMCore can throw an NSException due to a malformed message containing a property with key IMExtensionPayloadLocalizedDescriptionTextKey with a value that is not a NSString,” wrote researchers.
According to Apple, NSException is “an object that represents a special condition that interrupts the normal flow of program execution.” NSException is used perform exceptions, for example, allowing an application to store a file to a write-protected directory. Apple describes NSString as a static, plain-text Unicode string object that bridges to String.
Mitigation is simple: update iOS to version 12.3 or above.
In January 2018, Apple fixed a similar ChaiOS message bug. The so-called ‘text bomb’ flaw existed in Apple’s iPhone and Mac computers. Recipients receiving specially-crafted messages via the iMessage app (containing the link to the malicious code hosted on GitHub) reported devices freezing and in some cases crashing.