If you believed all the headlines you would think the problem is more serious than it really is.
“Beware the “Black Dot of Death” that will obliterate your iPhone with one text message”, reads The Metro newspaper. “Warnings about WhatsApp ‘text bomb’ that could destroy your phone.” says the Liverpool Echo. And “This WhatsApp ‘text bomb’ is destroying recipient’s phones” claims the Birmingham Mail.
Yes, it is true that so-called “text bomb” vulnerabilities are capable of crashing normal operations on your Android or iPhone, but to claim that your phone is “destroyed”? Well, that’s crazy.
The problem first emerged six days ago, when a Reddit user claimed that a specially-crafted text message could crash a number of messaging apps including WhatsApp.
At first sight that message looks fairly harmless – a sentence followed by a laugh-until-you-cry emoji, surrounded by quotation marks. But secretly hidden between the emoji and the final quote mark are thousands of hidden characters that don’t get displayed.
Unfortunately, apps like WhatsApp fail to handle the hidden character shenanigans gracefully, get their knickers in a twist, and fall over – causing the app to crash, and in some cases other instabilities on the device.
The payload, the text bomb’s creator said, was more dramatic in its impact on Android devices than iOS.
Now, that’s not the kind of news that Apple devotees want to take lying down. So it was only a matter of a day or two before a similar “text bomb” was reported specifically causing crashes on Apple devices.
The so-called “Black Dot of Death” is a message you might receive which contains an emoji of a medium-sized black circle, perhaps accompanied by an emoji of a pointed finger urging you to click on the ominous black hole.
The “Black dot” itself appears to be harmless, but once again hidden inside the message are many invisible Unicode characters that simply overload the phone, ultimately causing your iMessage app to crash in unpredictable ways.
The bug reportedly affects the current version of iOS (11.3), as well as the iOS 11.4 beta.
CNET offers advice on how affected iOS users can recover their systems, while they wait for a proper patch from Apple. In short, your phone is not destroyed.
In February, Apple fixed a similar ‘killer text bomb’ vulnerability after pranksters started sending boobytrapped messages containing a Unicode symbol representing a letter from the South Indian language of Telugu.
The fact that a similar ‘text bomb’, known as the “chaiOS bug”, was messing up users’ Macs, iPhones, and iPads in January suggests that this continues to be an ongoing problem for Apple.
I’m confident that Apple will roll out a patch for the “black dot of death” bug soon enough, but I find it hard to have any confidence that this will be the last time they find their devices vulnerable to this type of denial-of-service attack.
And I would like to think this should go without saying, but just in case – please don”t be tempted to try any of these text bomb attack out on anyone else, even as a prank. It’s simply not funny.
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsDecember 19, 2024
November 14, 2024