Apple 5 min read

Apple iOS Messenger App Crash

A huge bug hit the news yesterday that impacts Apple's iOS platform. Very easy to launch a denial of service attack against random users by just sending 1 specific character in the Telugu languge to them.

Apple iOS Messenger App Crash

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

All right, morning everybody. How's it going? It is Friday. We've made it through five full days of mornings with Mark. Um Thank you for staying tuned. Thank you for being engaged. Um Yesterday we had an interesting talk. It kind of took a little bit of a turn.

Um, when we were talking about uh digital identity and unfortunately, the overhyped Blockchain word. Well, today I wanted to talk about something, uh maybe a little bit more topical. So I hope you've got your tea or your coffee.

Um, and I want to talk about what was, uh flying around online yesterday, um, with uh iphone with I Os with Os X and that really weird little character that you probably didn't even see. Um, essentially what happened Tom Warren over at the verge had a great breaking story um, that there was a major bug in I OS and it's still there.

It's in um 11.2 0.5 I think it is. So the latest version, um and basically what happens is if your messaging app or another app receives a very specific um, character in one of the um Indian dialect languages.

So it's a unicode character. Um, it crashes. Now, it doesn't sound like too much until you realize that all of these apps like iMessage, uh Facebook Messenger and they're set up to receive messages from anybody. So this means anyone can fire off a message with this specific character and your app will crash until that message is deleted, um, or that character is removed somehow.

So this is quite significant. It's a denial of service attack. So that's where an attacker does something to prevent your system from working. So they are not trying to steal data, they're not trying to take over your system to use it in another attack.

They're just simply trying to deny you the use of that system. This is a one character attack that's super easy to fire off at people. I spent a good chunk of my day restarting and then just giving up on my Twitter client on Mac Os on Tweet bot.

It was just dying every time it tried to process this character, there's just something about the way that the apple platform handles this particular character that causes it to crash. Now, that's a simple mistake. Developers make mistakes all the time.

And I think for me, this really kind of comes back to one of the core aspects of security that a lot of people tend to forget about people think security is its own discipline. And for sure there's a lot of expertise required to dive deep.

My own specialty in forensics needs a lot of expertise. There's a lot of expertise around incident responders around perimeter defense. Like there are absolutely specialties within security. But if you're thinking of security as a separate activity, you're already failing at that, to be perfectly honest.

So we see that a lot where people are pushing this concept of DEV OPS versus DEV OPS security is part of DEV ops. You don't need to add an extra acronym. You guys have heard me rail against that multiple times for the last couple of years.

Security is part of everything you do. And in an automated system, like a culture that embraces Dev ops security needs to be built in. So this is a good example where, you know, you're not going to test every single unicode character out there, but one slip through and cause the catastrophic error.

So maybe they should have had automated testing, testing all the UN go characters, there's only 10 or 12,000 and very easy for a computer to run through all of them. But this is a case where, you know, security's job and this is my definition of cybersecurity.

And I think it's very practical and very useful and I think it clears up a lot of misconceptions that cybersecurity, the job of security is to make sure that your systems are doing what they're supposed to do and only what they're supposed to do, right.

So in this case, the um uh, messages on your iphone. It's supposed to let you send messages and videos and, you know, rich content back and forth between one or more people. That's it, it's not supposed to crash.

It just, it's not supposed to, um, you know, crash uh repeatedly until somebody else, um, uh, removes a character from a thing. It's supposed to work now. Reliability and quality you think are separate activities. Well, they are kind of, But you know, if you think of, I think quality is a really good example.

A colleague of mine had brought this up and said you don't have a separate quality department. You may have a quality verification department, but quality is everybody's job and so is security. So this is a case where a simple mistake is causing a major security issue for all Apple users at the moment because you don't know who is going to send this across your timeline, who is going to send you a random message here and your system may crash depending on the program that's processing it a big issue.

Now, Apple recognize this, they're going to issue out a patch very, very shortly because they actually had already addressed this bug in 11.3 for IOS which is due out later in a month or two, but they're going to send out an emergency patch in the next day or so.

So make sure you have auto updates on as always. But again, this is another good example where security is not a separate activity. It's part of everything that you're supposed to be doing, it's there to ensure that your systems are doing what they're supposed to do.

And only that, that's where I think people kind of take their eye off the ball and they lose sight of that bigger picture because they stand up entire departments dedicated to security. And they think it's this magical discipline.

It's the wizard on the hill kind of thing. It's not, it's part and parcel of everything. Everyone who is touching technology is doing and you need to turn around and make sure that everybody is educated and testing and automating and doing appropriate activities to make sure that things like this don't pop up or if when they do, you can react quickly and effectively to protect your users.

So that's it for today. I hope you guys are off for a good day. I hope uh the coffee or the tea is helping out. Um I hope everybody is gonna have an enjoyable weekend as always. I'm always happy to chat, looking for engagement, looking for conversation.

Hit me up here on Facebook um on, did I get it? Right. Oh, no wrong side. There we go. Hit me up on Twitter marknca Um Then talk about this bug. Let's talk about security within um devs culture.

Let's talk about security as a discipline and how you can be security educators. Um anything on the top of your mind? Just shoot a comment down below here. Um Any other platform? I hope you have a great weekend and we will talk to you on Monday.

Can I do it one handed blind? No, there we go. All right. Sorry about the side view. I've got different angle today. Um All good. See you on my.

Read next

Apple vs. The FBI
Archive

Apple vs. The FBI

The FBI and other federal law enforcement in the US (and elsewhere) continue to push back against "going dark". Thankfully Apple is fighting back, because when we break security systems and processes, no one wins. This post tracks the signficant events in Apple vs. the FBI.