The once-believed to be “unhackable” Apple iPhone has another cybersecurity gap that can lead to phones freezing and restarting — all from receiving a simple text message
According to a Mashable article, software developer Abraham Masri discovered a new bug this month that could cease all functions on an iPhone — effectively paralyzing it — by sending a message containing a website link to an iPhone user via iMessage. Cleverly dubbed “chaiOS” by its discoverer, the bug can freeze and crash handsets even when the user chooses to not open the message once it has been received.
With more than 700 million iPhones in use around the world as of March 2017, this could become a far-reaching issue should this gap be exploited by malicious users. The bug also follows the recent announcement of a major security flaw on all Apple devices (bugs that have been commonly referred to in the media as “Spectre” and “Meltdown”) that have left them vulnerable to hacking via the use of “speculative execution” of its performance chips.
So what does the latest “chaiOS” bug mean for iPhone users? And how much should you be concerned about your iPhone security?
How the Bug Works
Thankfully, this error seems to be more of an inconvenience than a major cybersecurity concern like Meltdown and Spectre. The error itself is pretty straightforward and doesn’t require a bunch of malicious coding like many viruses. It simply takes advantage of the iPhone’s auto-load preview thumbnail feature to cause the system to lock up, crash, or both.
According to an article about the bug in Forbes:
“When iMessage receives a message with a URL embedded, it will go online and generate a small thumbnail preview of the link. If the metadata is much larger than normally accepted (on the order of hundreds of thousands of characters), then iMessage will lock up the device.”
The link the article refers to is a link to a web page on GitHub. So even though the specific page on GitHub has since been removed, the same principles can be applied to other websites, using excess meta data to trigger crashes.
So what can be done to avoid the issue or prevent it from impacting your device?
How to Fix It
According to the Mashable article from Jan. 18, Apple said it planned to fix the iPhone security issue in its next software update the following week and released its iOS 11.2.5 update on Jan. 23. However, another way to fix it can be by blocking your phone from loading the domain name GitHub.io by adding the domain to your Safari browser restrictions list. This generally is a good idea, anyhow, for non-developers as GitHub sites can contain malicious content.
Practice Mobile Phone Safety
Based on more than 25 years of IT security knowledge and experience, I’ve put together a few tips for how mobile phone users, in general, can practice good “security hygiene” to keep their devices and data safe. These tips include information about using encryption software, multifactor authentication, and apps for antivirus, anti-malware, and anti-theft protection to help protect your personal or company devices.
Another good way to help protect your business from viruses and errors that can result from bring your own device (BYOD) mobile device users is to develop a comprehensive cybersecurity and mobile device policy. When employees in your organization use their personal devices for the sake of convenience, if those devices are not adequately protected, it can put your network at risk.
Organizations and businesses need to take clear steps to protect themselves and their data from the risks of hacked, lost or stolen mobile devices. FPA is here to help you ensure that your sensitive data remains as secure and protected as possible. Contact us today for a technology security assessment to proactively assess, manage, and support your IT security needs.
How do these bugs or potential hacking vulnerabilities concern you regarding the protection of the data on your personal or business devices? Share your thoughts in the comments box below or send an email if you’d like to chat with me about this topic.