Over the last couple of days, a group of iOS developers has been targeted with a series of rapid-fire texts sent over Apple’s iMessage system. The messages, likely transmitted via the OS X Messages app using a simple AppleScript, rapidly fill up the Messages app on iOS or the Mac with text, forcing a user to constantly clear both notifications and messages.
In some instances, the messages can be so large that they completely lock up the Messages app on iOS, constituting a ‘denial of service’ (DoS) attack of sorts, even though in this case they appear to be a prank. Obviously, if the messages are repeated an annoyingly large volume but don’t actually crash the app, they’re still limiting the use you’ll get out of the service. But if a string that’s complex enough to crash the app is sent through, that’s a more serious issue.
The attacks hit at least a half-dozen iOS developer and hacker community members that we know of now, and appear to have originated with a Twitter account involved in selling UDIDs, provisioning profiles and more that facilitate in the installation of pirated App Store apps which are re-signed and distributed. The information about the source of the attacks was shared by one of the victims, iOS jailbreak tool and app developer iH8sn0w.
“On Wednesday night my private iMessage handle got flooded with “Hi” and “We are anonymous” bulls**t,” iH8sn0w tells us. He immediately disabled that iMessage email and began tracking the sending email domain’s current ownership. iH8sn0w shared a proof-of-concept AppleScript with us that demonstrates just how easy it is to set up a recurring message that could saturate a person’s iMessage queue with items that would need to be cleared or read before any actions could be taken.
Another iOS developer targeted, Grant Paul, shared some additional details about the attacks.
“What’s happening is a simple flood: Apple doesn’t seem to limit how fast messages can be sent, so the attacker is able to send thousands of messages very quickly,” Paul says.
The second part of that, he explains, is that if a user sends a ‘complex’ text message using unicode characters that force a browser to render ‘Zalgo’ text, or simply uses a message that is enormous in size, them the Messages app will eventually crash as it fails to display it properly. This will effectively ‘break’ the Messages app on iOS by forcing it to close and stop it from re-opening because it can’t render that text.”
The ‘send a big message to crash the app’ method has been known for a while, as we were able to locate a month-old public posting that detailed an accidental triggering of this. The solutions involve playing around with sending a regular message, then locking the phone and activating the message notification until you’re able to time it right to delete the message thread that’s causing the problem. This is the way that Paul was able to finally delete the complex text that was causing him problems.
Several of the developers we spoke to noted that multiple ‘throwaway’ emails were being used to send the spam, so while a simple ‘block’ option might work for a casual spammer, they wouldn’t work for a determined harasser.
This appears to be the only real solution as Apple does not currently allow you to block a specific iMessage sender. Once your iMessage ID is out there, you’re unable to stop people from using it. And since the latest version of iOS unifies your phone number and emails, there’s a strong possibility that if a person can ferret out your email, they can spam you with this annoying or disruptive technique.
The only recourse right now is to disable that iMessage handle entirely. And if they get your phone number, it’s likely you’ll have to turn off iMessage entirely, because you can’t just change your phone number at the drop of a hat. Thankfully, this doesn’t seem to be a widespread practice, but it’s not that hard to figure out, and the only real solution will be the introduction of a block setting for Messages and better spam detection by Apple.
We have informed Apple about the technique used in these cases but it has not responded with more information. We will update the article if it does so.
Screenshot of the issue via Adam Bell.