Apple’s iMessage was first introduced along with iOS 5 back in late 2011, and has since processed many billions of messages between iPhone, iPad, iPod touch and OS X Mountain Lion users worldwide. But whilst celebrated for being secure, efficient, and generally reliable, a new-found vulnerability demonstrates just how easily one can be attacked by floods of messages in a DoS-esque manner, to the point where the app locks up and becomes unusable. Many Apple developers, including jailbreak gurus such as iH8Sn0w and chpwn have been targeted in a spate of attacks, and although the culprit’s origins are rather unknown, it’s worrying just how easily the attacks were conceived. More details right after the jump.
Set up using a simple AppleScript, the individual (or group of individuals) involved in calculating the attack used fake e-mail accounts according to TheNextWeb, which not only makes it difficult to trace who was behind the attacks, but also to block them and prevent such an issue arising again.
As noted by Grant Paul (@chpwn) on Twitter; “The iMessage spammer has now completely locked me out of my iOS Messages app”, and further stated that it was done “by sending long strings of Unicode chars.” and labeled it as a DoS attack.
Amid the chaos, a site was also recently compromised under the same conditions, but the real issue is, by getting a hold of a few emails, just how easy it was for this particular group or person to freely attack the iMessage accounts of developers. It’s also worth noting that if a ginormous string of unicode text (or Emoji, as it’s famously referred to as) is sent to someone over and over again, the Messages app would simply crash and would not work, because the Messages app cannot render that amount of text easily. To give you an idea what we’re talking about here, this screenshot will give you an idea:
For a company renowned for its watertight security in software, the past couple of months certainly haven’t painted Apple in a very favorable light at all. Several iOS security holes and flaws even put the slammers on Apple’s efforts to patch the Evasi0n jailbreak, with an unprecedented two updates released before the third eventually prevented users from the untethered break.
The Cupertino company has yet to issue a statement on the matter, but one suspects there will need to be some significant alterations made to the iMessage infrastructure. The company needs to keep developers happy and secure as much as anybody, and although this attacker only hit a small number of iMessage users, next time the scale may be considerably higher.