If you’re one of the people who delays updating your iPhone for a couple of months, you might want to reconsider that policy. There’s a serious issue with the iMessage service that can allow an attacker to completely disable an iPhone just by sending one specially formed message to the device.
A researcher with Google’s Project Zero team, Natalie Silvanovich, discovered the issue in April and reported it to Apple. Apple fixed the issue in iOS 12.3, but the details of the vulnerability have only just become public. In essence, the bug is a problem with the way that iMessage handles a specific type of input.
“On a Mac, this causes soagent to crash and respawn, but on an iPhone, this code is in Springboard. Receiving this message will case Springboard to crash and respawn repeatedly, causing the UI not to be displayed and the phone to stop responding to input,” Silvanovich wrote in her bug report.
“This condition survives a hard reset, and causes the phone to be unusable as soon as it is unlocked. The only way I could find to fix the phone is to reboot into recovery mode and do a restore. This causes the data on the device to be lost though.”
The vulnerability exists in iOS versions prior to 12.3, which was released in May. People who have automatic updates enabled or have updated their devices manually since the release are protected already.
“This condition survives a hard reset, and causes the phone to be unusable as soon as it is unlocked."
This kind of vulnerability can be especially dangerous as it doesn’t require an attacker to have physical access to a target device, nor does it require any interaction from the victim. Just sending a malicious message to a vulnerable device is enough to trigger the bug, making the device unresponsive. The victim likely would have no indication of why the phone has been bricked. Recovering from an exploit against this vulnerability would be painful, as Silvanovich said in her bug report.
“For testing purposes, there are three ways that I found to unbrick the device:
- wipe the device with 'Find my iPhone'
- put the device in recovery mode and update via iTunes (note that this will force an update to the latest version)
- remove the SIM card and go out of Wifi range and wipe the device in the menu,” she said.
For anyone who hasn’t updated to iOS 12.3, the time to do so is now, especially with details of the vulnerability now public.