The iOS Bug That Freezes Your iPhone with a Message

Author: Craig Pollack Date: Jan 31, 2018 Topics: Cybersecurity

The once-believed to be “unhackable” Apple iPhone has another cybersecurity gap that can lead to phones freezing and restarting — all from receiving a simple text message

According to a Mashable article, software developer Abraham Masri discovered a new bug this month that could cease all functions on an iPhone — effectively paralyzing it — by sending a message containing a website link to an iPhone user via iMessage. Cleverly dubbed “chaiOS” by its discoverer, the bug can freeze and crash handsets even when the user chooses to not open the message once it has been received.

With more than 700 million iPhones in use around the world as of March 2017, this could become a far-reaching issue should this gap be exploited by malicious users. The bug also follows the recent announcement of a major security flaw on all Apple devices (bugs that have been commonly referred to in the media as “Spectre” and “Meltdown”) that have left them vulnerable to hacking via the use of “speculative execution” of its performance chips.

So what does the latest “chaiOS” bug mean for iPhone users? And how much should you be concerned about your iPhone security?

How the Bug Works

Thankfully, this error seems to be more of an inconvenience than a major cybersecurity concern like Meltdown and Spectre. The error itself is pretty straightforward and doesn’t require a bunch of malicious coding like many viruses. It simply takes advantage of the iPhone’s auto-load preview thumbnail feature to cause the system to lock up, crash, or both.

According to an article about the bug in Forbes:

“When iMessage receives a message with a URL embedded, it will go online and generate a small thumbnail preview of the link. If the metadata is much larger than normally accepted (on the order of hundreds of thousands of characters), then iMessage will lock up the device.”

The link the article refers to is a link to a web page on GitHub. So even though the specific page on GitHub has since been removed, the same principles can be applied to other websites, using excess meta data to trigger crashes.

So what can be done to avoid the issue or prevent it from impacting your device?

How to Fix It

According to the Mashable article from Jan. 18, Apple said it planned to fix the iPhone security issue in its next software update the following week and released its iOS 11.2.5 update on Jan. 23. However, another way to fix it can be by blocking your phone from loading the domain name by adding the domain to your Safari browser restrictions list. This generally is a good idea, anyhow, for non-developers as GitHub sites can contain malicious content.  

Practice Mobile Phone Safety

Based on more than 25 years of IT security knowledge and experience, I’ve put together a few tips for how mobile phone users, in general, can practice good “security hygiene” to keep their devices and data safe. These tips include information about using encryption software, multifactor authentication, and apps for antivirus, anti-malware, and anti-theft protection to help protect your personal or company devices.

Another good way to help protect your business from viruses and errors that can result from bring your own device (BYOD) mobile device users is to develop a comprehensive cybersecurity and mobile device policy. When employees in your organization use their personal devices for the sake of convenience, if those devices are not adequately protected, it can put your network at risk.

Organizations and businesses need to take clear steps to protect themselves and their data from the risks of hacked, lost or stolen mobile devices. FPA is here to help you ensure that your sensitive data remains as secure and protected as possible. Contact us today for a technology security assessment to proactively assess, manage, and support your IT security needs.

How do these bugs or potential hacking vulnerabilities concern you regarding the protection of the data on your personal or business devices? Share your thoughts in the comments box below or send an email if you’d like to chat with me about this topic.

Cyber Security Report Card


Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 25 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best secure and leverage their technology to achieve their business objectives.