The bug that causes iPhones to crash when they receive a boobytrapped text message also affects the Apple Watch, iPads and Macs.
The crash is caused by a bug within a core system common to all of Apple’s devices that handles text. When presented with non-Latin characters in a specific sequence – including those from Arabic, Chinese and Marathi – the CoreText system chokes, causing it to fail and bring the entire operating system to a halt.
Apple told the Guardian that it is aware of the bug and will issue a software update to fix it. How long that update will take is unknown: 24 hours after the bug was revealed, it has not been fixed.
The bug, which was originally identified causing crashes on iPhones, has now been shown to also affect the Apple Watch, causing it to crash when attempting to reply to the offending message via voice using Siri.
The text message has also caused iPads to crash, and reportedly can affect Mac laptops and desktops too.
“As the issue also affects OS X applications, a malicious party could set the triggering text as a server message of the day or welcome message, causing a user’s terminal to crash when authenticating to network services,” Mathew Hickey, principal security consultant at MDSec told Forbes.
While most people are using the message as a prank to crash friends’ iPhones, experts have not ruled out that the text string could be used for more malicious attacks, with potentially damaging consequences.
“Programming errors in Unicode decoding and rendering will produce more errors like this, some of which may be exploitable to access elevated privilege levels on devices,” said Ken Simpson chief executive of spam filtering and email security company MailChannels. “Such a vulnerability/exploit is not yet in the wild, but if developed this would represent an immediate and severe threat to all iOS device users worldwide.”
Those wishing to protect themselves from these attacks can turn off the notification system on iOS devices and stop SMS or iMessages being delivered to the Apple Watch.
Mac users are less likely to affected by the bug – sending the string via iMessages did not trigger a crash in the Guardian’s testing – but those using the Terminal app to access resources across the internet should be aware that it could be affected if exposed to the text string.