A zero-day vulnerability in Apple’s iMessage, which bricks an iPhone and survives hard resets was recently brought to light. A specific type of malformed message is sent out to a victim device, forcing users to factory-reset it again.
The issue was first posted by Google Project Zero researcher, Natalie Silvanovich on the project’s issue page on April 19, 2019. Due to the usual 90-day disclosure deadline, the bug is held from public view until either 90 days had elapsed or a patch had been made broadly available to the public. On 4th July, Silvanovich revealed that the issue was fixed in the Apple iOS 12.3 update, thus making it public.
Labelled as CVE-2019-8573 and CVE-2019-8664, this vulnerability causes a Mac to crash and respawn. Silvanovich says on an iPhone, this code is in Springboard and “receiving this message will cause Springboard to crash and respawn repeatedly, causing the UI not to be displayed and the phone to stop responding to input. The only way I could find to fix the phone is to reboot into recovery mode and do a restore. This causes the data on the device to be lost”.
According to Forbes, “The message contains a property with a key value that is not a string, despite one being expected. Calling a method titled IMBalloonPluginDataSource _summaryText, the method assumes the key in question is a string but does not verify it is the case”.
The subsequent call for IMBalloonPluginDataSource replaceHandlewithContactNameInString calls for im_handleIdentifiers for the supposed string, which in turn results in a thrown exception.
For testing purposes, Silvanovich, in her patch update has shared three ways that she found to unbrick the device:
- wipe the device with ‘Find my iPhone’
- put the device in recovery mode and update via iTunes (note that this will force an update to the latest version)
- remove the SIM card and go out of Wifi range and wipe the device in the menu
Google Project Zero has also released instructions to reproduce the issue:
- install frida (pip3 install frida)
- open sendMessage.py, and replace the sample receiver with the phone number or email of the target device
- in the local directory, run: python3 sendMessage.py
Users should make sure their iPhone is up to date with the latest iOS 12.3 update.
Read more about the vulnerability on Google Project Zero’s issue page.