Latest Apple Text-Bomb Crashes iPhones via Message Notifications

Sindhi-language characters can crash iPhones and other iOS/macOS devices if a victim views texts, Twitter posts or messages within various apps containing them.

Apple devices are vulnerable to a “text bomb” attack where simply looking at messages or posts containing characters in the Sindhi language can crash devices.

Sindhi is an official language used in Pakistan. The bug affects iPhone, iPad, Macs and Apple Watches, and arises from macOS and iOS failing to properly render a Unicode symbol used when writing in the language. Because the symbol confuses the operating systems, according to a Friday post from researcher Graham Cluley at Bitdefender, the devices simply spontaneously crash when it shows up in a viewing window.

The problem occurs in a number of different scenarios, including if the character string shows up in a text message – in fact, just looking at a message notification containing a message preview will crash the system. Viewing messages within apps leads to the same outcome, as does reading social media posts on one’s phone or Mac. As for the latter point, Threatpost editors were able to independently confirm that looking at tweets containing the characters will indeed shut down an iPhone.

Cluley noted that completely rebooting the device fixes the problem – until another booby-trapped message comes along.

The issue was first reported on Reddit on Thursday, and given the moniker “CapturetheFlag” because the offending characters are often paired with the Italian flag (the flag though is not necessary to trigger a crash). Trigger messages began being circulated in Telegram messages, and quickly went viral on Twitter, with many pranksters posting tweets containing the text-bomb content.

Apple has had similar linguistic issues in the past; in 2013, certain combinations of Arabic characters were found to crash Macs and iPhones; while in 2018, messages containing letters of the south Indian language of Telugu were discovered to do the same thing.

Other text-bomb attacks that don’t relate to Unicode symbols have made the rounds in the past: The chaiOS bug in 2018 for instance allowed attackers to crash or freeze phones just by sending a text message containing a hyperlink to malicious code hosted on GitHub. Recipients only needed to receive the malicious messages for the flaw to work: Clicking on the link wasn’t required.

And last year, an Apple iMessage bug made the rounds that allowed attackers to brick iPhones running older iOS versions, by sending a specially crafted message to a vulnerable device.

In this case, Apple hasn’t yet issued a public statement on the problem, but according to Cluley, the latest beta version of iOS fixes the issue.

“[This] already incorporates a fix for the problem – so we may only be days away from having it pushed out to our vulnerable devices,” he wrote. “In the meantime, if you are worried or think you might be targeted by a mischief-maker who delights in crashing your device, you might be wise to disable message previews on your iPhone.”

Android users can meanwhile log this one as a win in the mobile device wars: Google’s OS is unaffected.

The news comes as Apple pushes back against claims that two zero-day bugs in its iPhone iOS have been exploited for years. A widely disseminated report published Wednesday by ZecOps claimed that bugs in the Apple Mail app on iPhones and have been exploited in the wild since 2018 by an “advanced threat operator.” However, Apple said in a statement to Bloomberg’s Apple correspondent Mark Gurman that he posted on Twitter that the findings aren’t true.

Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.

Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.

Suggested articles