Fixed iMessage bug bricked iPhones using malformed message

Posted:
in iOS
Details of a now-patched bug in iMessage have been revealed by a Google Project Zero researcher, a problem that could have forced users to wipe and restore their iPhones to get them working again, if they received a malformed message.




Released by Google Project Zero, the search company's bug and vulnerability-discovery team, the issue relates to a specific type of malformed message that is sent out to a victim device. As per usual disclosure rules, the bug was held from public view until either 90 days had elapsed or a patch had been made broadly available to the public, with Apple's release in an iOS 12.3 update fixing the bug and allowing for it to be revealed.

Specifically, the message contains a property with a key value that is not a string, despite one being expected. Calling a method titled IMBalloonPluginDataSource _summaryText, the method assumes the key in question is a string, but does not verify it is the case.

The subsequent call for IMBalloonPluginDataSource replaceHandlewithContactNameInString calls for im_handleIdentifiers for the supposed string, which in turn results in a thrown exception.

While the message can affect both Mac and iPhone, they do so in different ways. For macOS, the error causes "soagent" to crash and respawn, making it a relatively brief issue where, at worst, the Messages app stops working.

On iPhone, the code is in Springboard, and will repeatedly load, crash, and reload itself to a point that the UI cannot be displayed and the iPhone ceases to respond to input by the user. As the problem survives a hard reset, and starts occurring again after unlocking the iPhone, the only known solution is to reboot into recovery mode and restore the device.

As part of the disclosure, Google Project Zero has also released instructions to reproduce the issue.

AppleInsider recommends users keep their iPhones up to date where possible, and to retain backups of their devices and stored data.

Malformed messages have been the source of some issues for iMessage users in the past. One major example is the "Black Dot" Unicode bug from 2018 that abused invisible characters to crash the app on iPhones and iPads running iOS 11.3.

Another 2018 "text bomb" exploited unoptimized rendering processes for OpenGraph page titles to create excessively long tags, again causing crashes. Another from 2015 used a single line of Arabic script to consume iOS resources when rendering, but only when it appeared as a notification.

Comments

  • Reply 1 of 12
    seanismorrisseanismorris Posts: 1,084member
    Good work Google Project Zero!

    Still waiting on Apple to allow updates through LTE rather than WiFi only. (Usually just 200-300MB)

    Yep, I’m a broken record...  Call me crazy but I think security updates are important.


    Andy.HardwakedewmeFileMakerFellerCarnagejony0
  • Reply 2 of 12
    This bug keeps happening because it has never actually been fixed. Perhaps Apple should stop masking the bug by avoiding specific malformed messages and fix the underlying bug which is that iMessage has the capability to brick iPhones. At the worst, iMessage should fail to deliver a bad message. It should not be able to brick your device. I have been developing iOS apps for over a decade and have never seen a bug in my app brick one of my iOS devices even in the most catastrophic data corruption situations.
    edited July 5 elijahgasdasdEsquireCatscgWerksdysamoriaCarnage
  • Reply 3 of 12
    22july201322july2013 Posts: 813member
    I thought "to brick" meant to make something totally unrecoverable except by the manufacturer with certain tools. From the web: "First of all, lets get something straight. Most people use the term 'bricked' improperly. A bricked phone means one thing: your phone won't turn on in any way, shape or form, and there's nothing you can do to fix it. It is, for all intents and purposes, as useful as a brick. A phone stuck in a boot loop is not bricked, nor is a phone that boots straight into recovery mode. These are things you can usually fix, and they're a lot more common than a truly bricked phone. If your phone is actually bricked, you won't be able to fix it yourself..." Since the problem described in this article allows you to boot into recovery mode, it is not "bricked" by this standard definition.
    AppleExposednadrielmacseekerrwesStrangeDayspscooter63JWSCSoundJudgmentdysamoriajony0
  • Reply 4 of 12
    kimberlykimberly Posts: 252member
    I thought "to brick" meant to make something totally unrecoverable except by the manufacturer with certain tools. From the web: "First of all, lets get something straight. Most people use the term 'bricked' improperly. A bricked phone means one thing: your phone won't turn on in any way, shape or form, and there's nothing you can do to fix it. It is, for all intents and purposes, as useful as a brick. A phone stuck in a boot loop is not bricked, nor is a phone that boots straight into recovery mode. These are things you can usually fix, and they're a lot more common than a truly bricked phone. If your phone is actually bricked, you won't be able to fix it yourself..." Since the problem described in this article allows you to boot into recovery mode, it is not "bricked" by this standard definition.
    That was my understanding of 'bricked' too.
    AppleExposedrwesalanhpscooter63dysamoriajony0
  • Reply 5 of 12
    macguimacgui Posts: 1,464member
    Both 'bricked' and 'vaporware' have become misused so often and for so long they now have taken on a different meaning. I still use them old school. 
  • Reply 6 of 12
    alanhalanh Posts: 43member
    That headline is so difficult to make sense of....
    StrangeDaysmacgui
  • Reply 7 of 12
    lewklewk Posts: 16member
    Publishing the method used to crack, brick, or otherwise screwup any phone, computer, or whatever is irresponsible! People are often running older versions of systems and applications for very valid reasons and may NOT be able to update. This sort of forcing users to update not just software, but hardware is unconscionable as not everyone can afford to update software or hardware and the older hardware or software was quite adequate for their needs. So telling the criminals that use these methods, how to do these things should be illegal. Especially a bug affecting Messages since robodialing SPAM is very much an issue these days. I guess it shouldn't surprise me that Google would deliberately publish actual instructions on how to do something like this. Just because a patch is available doesn't mean everyone has applied it or ever will! And since companies drop support for older hardware, this sort of thing can play havoc with users that only have older hardware!
  • Reply 8 of 12
    Rayz2016Rayz2016 Posts: 4,764member
    I thought "to brick" meant to make something totally unrecoverable except by the manufacturer with certain tools. From the web: "First of all, lets get something straight. Most people use the term 'bricked' improperly. A bricked phone means one thing: your phone won't turn on in any way, shape or form, and there's nothing you can do to fix it. It is, for all intents and purposes, as useful as a brick. A phone stuck in a boot loop is not bricked, nor is a phone that boots straight into recovery mode. These are things you can usually fix, and they're a lot more common than a truly bricked phone. If your phone is actually bricked, you won't be able to fix it yourself..." Since the problem described in this article allows you to boot into recovery mode, it is not "bricked" by this standard definition.
    Ah. 

    Then thanks for posting.

    When the headline said “bricked” I thought that meant the phones were being returned to Apple for replacement. 

    Because that’s what you do when your device is “bricked”: you get it replaced. 

    edited July 7 dysamoria
  • Reply 9 of 12
    dysamoriadysamoria Posts: 2,283member
    Why is it even possible for iMessage exceptions to put the phone into an unusable state? Clearly there’s a deeper design issue needing to be addressed. The OS should still function without iMessage. I thought everything was supposed to be sandboxed.

    It references a plugin. Is that the notification system in springboard?
    jony0
  • Reply 10 of 12
    Nice catch from Google.

    But from the article, it's not the messages app that's causing the problem to be so severe. Yes, the app has a poorly-written method that doesn't type-check the data it's receiving, and that causes a crash. The bigger problem is that somehow Springboard doesn't detect the crash and simply keeps trying to reload the app, EVEN AFTER A DEVICE RESTART. If I were at Apple, that second issue is the one I'd be investigating and correcting ASAP.

    (edited to correct spacing issue)
    edited July 7
  • Reply 11 of 12
    welshdogwelshdog Posts: 1,694member
    So what exactly is the text that causes the disruption? I didn't see it in the article.
  • Reply 12 of 12
    netroxnetrox Posts: 786member
    Bricked a device means the device cannot be operated normally at all and require hardware repair or replacement. This bug doesn't brick the device. It can be recovered with software.
Sign In or Register to comment.