Apple iPhone users escape bug that would have forced them to factory reset their phone

Apple iPhone users escape bug that would have forced them to factory reset their phone
Apple iPhone users didn't know it until a fix was disseminated, but a bug could have forced them to perform a factory reset had they received a particular malformed message. This was revealed by Google Project Zero (via Apple Insider), the company's security team that discovers bugs and vulnerabilities. The reason that no one heard about the bug until now is that under Project Zero, a bug is not disclosed until 90 days has expired, or a fix has been sent. In this case, Apple sent out a fix for this bug in the iOS 12.3 update. This was pushed out on May 13th and included Apple News+, AirPlay2, and a redesigned TV app.

The problem with the malformed message is that the phone is expecting a key value with a string of code, but doesn't check to make sure it is included. Because the code is not included, on the iPhone the message loads, crashes and reloads. This cycle repeats until the phone stops displaying the user interface and doesn't recognize inputs. A hard reset doesn't fix things and the phone is rendered unusable once it is unlocked. One user found that there are three ways to unbrick an affected iPhone:

  1. Wipe the device with 'Find my iPhone.'
  2. Put the device in recovery mode and update via iTunes (note that this will force an update to the latest version).
  3. Remove the SIM card and go out of Wifi range and wipe the device in the menu.
Last year, a similar issue occurred when users received an iMessage containing a black dot and tapped on it. The black dot contained thousands of strings of Unicode that bogged down the iPhone's processor causing the phone to crash. The black dot also affected Android users who received the same message on WhatsApp. Also last year, Apple had to send out an iOS update to fix a bug that caused iPhones around the world to reboot. This would occur when an iPhone user received a message containing a character from the Indian Telugu language sent over iMessage or placed in a text field.

In 2015, the "Effective Power bug" caused iPhones to crash when a specific iMessage was received. When rebooted, the Messages app would fail to work. The malicious part of the iMessage was a string of Arabic characters that could not be separated correctly in iOS. When an incoming message notification was received, the Arabic characters were too long to fit in the notification thus causing the handset to crash.

Always make sure that your iPhone is running the latest version of iOS



Even though Apple has fixed the current issue, something similar seems to pop up every so often. So make sure that your iPhone is always running the latest version of iOS and that you back up your data often. This way, if you're forced to factory reset your iPhone, all of your apps and data can be quickly loaded on the phone

FEATURED VIDEO

32 Comments

1. Leo_MC

Posts: 7243; Member since: Dec 02, 2011

One of the Apple haters was trying to tell me how marginally important are updates to a phone that works and Android phones are cheaper. Imagine if I would have gotten galaxies s7 instead of iPhones 6s for my company: with this bug, they would have been useless and I would have had to buy new phones; with 6s, there’s not a single penny I have to invest to make sure I’m ok.

3. afrohoxha

Posts: 243; Member since: Mar 13, 2014

Most of the apps on Android are updated through Google play services, and they're not tightly coupled with something similar to Springboard like in iOS. Also you have security updates which would have covered this issue. So not a single penny to invest either

6. Leo_MC

Posts: 7243; Member since: Dec 02, 2011

S7 no longer receives any kind of update, which means any kind of vulnerability - new and old - is exploitable. In iOS the springboard is kind of like the framework of Android; this vulnerability does not relate to Android framework, but others do.

8. Back_from_beyond

Posts: 1380; Member since: Sep 04, 2015

Funny fact though, these kinds of vulnerabilities seem to happen an awful lot on iOS. It's not exactly the first or second time a string of characters has this kind of crippling effect on iOS. Be sure to thank Google for catching this for Apple.

12. Leo_MC

Posts: 7243; Member since: Dec 02, 2011

This vulnerabilities happen, period (I remember earlier this year when Android could have been hacked with a simple png file...) Thank you, Google - I always give credit when it's due.

23. ssallen

Posts: 177; Member since: Oct 06, 2017

Cite? I think you are GREATLY over exaggerating the impact of any png file bug. The fact remains is Android has yet to have a bug where by simple text messaging you can bootloop a phone and require a factory reset. Apple now has had THREE in the last couple years.

15. SPASE

Posts: 261; Member since: May 03, 2013

S7 received june security patch,,,, you were saying?

18. Leo_MC

Posts: 7243; Member since: Dec 02, 2011

I’m saying that, if Samsung will push security updates to S7 duo when “an urgent security issue needs to Ben addressed” (meaning “when we get to it”), there is still the problem of g5, mate 9, Xperia z5 etc.

5. tedkord

Posts: 17318; Member since: Jun 17, 2009

With the S7, you wouldn't have had this bug. Software stability is just one reason why the smartphone with the highest customer satisfaction rating is the Note 9.

11. Leo_MC

Posts: 7243; Member since: Dec 02, 2011

I sure wouldn't.../s Customer satisfaction means nothing; the only thing that matters - when it comes to security - is the cve where Android is all time 3rd (with more than 800 lvl 9 critical vulnerabilities) while iOS is 8th (with a little under 300).

17. oldskool50

Posts: 1372; Member since: Mar 29, 2019

Funny how customer satisfaction matters when Apple had the highest rating. Leo_MC why do you all flip flop like Donald Trump? How come things only matter to you, only if and when you are ahead? A computer is only as secure as the person using it. Even though Windows had high pro lems with it, I rarely even had any issues with even the worse versions like ME or Vista. According to recent data, iOS is more vulnerable than recent versions of Android, because as we told you, the reason iOS and OSX were less attacked was because of having little marketshare. IOS is now very popular and thus will also be getting attacked more. But most attacks that could happen, almost never do to begin with. Just because someone can do something, it doesn't mean they will. If someone really wants some info you have, they have ways of getting it. You phone is the least of your worries.

19. Leo_MC

Posts: 7243; Member since: Dec 02, 2011

Are you talking to me, troll? When have I said that I give a crap on the customer satisfaction? When it comes to security, the only ones I listen to are the experts, I couldn’t care less if people are satisfied with their pink phones or not. “ A computer is only as secure as the person using it.” Reeeheheheally? So you also think that Apple was not to blame for the iCloud hacks, but the users; good to know. “According to recent data” (2018 - the report for the entire year) Android is still 3rd, with 100 lvl 9 critical vulnerabilities (out of 600+ total) while iOS has 15 (out of 125). I don’t about you, but I think having 6 times more vulnerabilities means it’s easier for a hacker to access the data.

27. Back_from_beyond

Posts: 1380; Member since: Sep 04, 2015

And so far this year, iOS is in the lead with 255 vs 72 for Android. Your biggest problem is how your misrepresent this data. You only look at the surface, because details clearly don't matter.

28. Leo_MC

Posts: 7243; Member since: Dec 02, 2011

I make my calculations at the end of the year; there are still 5 mo to go. This year iOS has 155 vulnerabilities reported (can you point me to where you got 255?): critical - 15 >= lvl 9; 29 >= lvl 7. Android has 72 total: critical - 29 >= lvl 9; 53 >= lvl 7. I don't know about you, but I have more problems with a vulnerability allowing someone to execute code on my device (18 in Android, 1 in iOS) or bypass something (8 in A - the gravest is the bypass of master password reset protection - you have to be a programmer to understand it's gravity, if you're not, all you need to know is that it's a bad, bad, bad vulnerability; 0 - zero - in iOS) than with overflow (1 in A, 71 in iOS) or memory corruption (7 in A, 72 in iOS) - which are problems with writing data in memory (the worse thing that happened was the crashing of some apps).

7. lyndon420

Posts: 6745; Member since: Jul 11, 2012

It was nice of Google to point out this iphone bug to apple. ;)

13. Leo_MC

Posts: 7243; Member since: Dec 02, 2011

It sure was; it's a good thing that these companies work together to create better devices for us (only some dumb assess in the commentaries of a small site think otherwise).

21. mootu

Posts: 1503; Member since: Mar 16, 2017

They don't work together. Google Project Zero monitors all OS's for vulnerabilities, if one is found Google informs them that they have 90 days before the exploit is made public. Like it or not Google are going to release that info, doesn't matter if the exploit is fixed or not. It's the security industry's way of forcing companys to fix their problems.

22. Leo_MC

Posts: 7243; Member since: Dec 02, 2011

Like it or not, Google works with Apple just like Apple works with Microsoft and Microsoft works with Google; there's nothing wrong with that.

24. ssallen

Posts: 177; Member since: Oct 06, 2017

But Apple doesn't. Apple only releases bug fixes as PR ploys. Its their sole marketing strategy. The world didn't even hear about this bug until well after it was fixed.

29. Leo_MC

Posts: 7243; Member since: Dec 02, 2011

You must be a developer too and you must know for sure that Apple doesn't work with developers; can you tell us how Apple refused to work with you in order to fix a bug?

16. oldskool50

Posts: 1372; Member since: Mar 29, 2019

But this bug affects iOS, not Android. So if you had an Android like an S7, it wouldn't have been a problem to begin with. Also let me remind you of this fact. When you consider iOS has more updates for bug fixes vs Android, I think that means iOS has a problem. And please remember another fact. Even after fixing "a" bug, software will always have bugs. Just because you might have been protected against this bug, doesn't mean you will be on the next one. IOS is the most buggy mobile OS if all times. IOS 9 required, more than 16 updates and it was still broken. While Android has not needed as many updates and is ahead of iOS in everything that matters. You need to stop acting like iOS is perfect, because it is not. Software by default is inherently buggy. It's like a bug in real life bruh. Just because you kill one, that doesn't take out the millions of others. You need to stop with the pompous attitude thinking you are immune to anything related to computing. You guys are so arrogant, and then you don't even think. In fact let me remind you of this fact. Recent versions of iOS, like 7, and 9 as examples, were more buggier than more recent versions of Windows. Look it up. When you have more bugs than the king if bugs, then we see who has the real problems. Even Android at it's worse wasn't worse than Windows.

20. Leo_MC

Posts: 7243; Member since: Dec 02, 2011

“This” bug affects WhatsApp on Android too. Nop, it just means Apple is better at finding and fixing bugs. Yes, but it would have less bugs. No, but there are less bugs that in have to worry about. Nop, according to the statistics, Android is 1.3 more buggy than iOS (2.6 more buggy when it comes to critical bugs). Yes, it did/does (that’s why some oems introduced monthly updates) and no, it isn’t ahead. I never said that; I admit flaws and I want fixes while you - in your upside down troll world - don’t even acknowledge then. Right, and A. has 1.3 more bugs. Me? You have me mistaken. I am arrogant with every dumb ass troll. The mobile OSes are constantly more flawed than Windows. The king of bugs in mobile is... Android. Yes it was (and still is).

25. ssallen

Posts: 177; Member since: Oct 06, 2017

You really don't understand much at all about software. Apple isn't better at finding and fixing bugs, their OS is heavily obfuscated unlike Android which is based upon Linux. Apple is every bit as buggy its just a lot more difficult for outsiders to see the holes. A hose with a million hard to see leaks is just as leaky as one with obvious ones. Your feeble attempt at statistics just shows you don't understand that not all bugs are equal. Again, Android has never had a bug which by merely TEXTING you can brick a phone. Apple has had multiple attempts and multiple years to get this s**t straight and have failed to do so. You really think THAT is more secure and better engineering? Naive. That said, I wouldn't say Android is better either. But recently they are certainly winning the fewest scary bugs competition.

30. Leo_MC

Posts: 7243; Member since: Dec 02, 2011

"Apple is every bit as buggy its just a lot more difficult for outsiders to see the holes." How do you know that iOS has more bugs, if you can't see the holes? It's a feeling you have, you guide your messages by subjective bias, a little bird told you? I'm asking because, if a bug can';t be seen and it doesn't manifest, most likely it means that it... doesn't exist. "Android has never had a bug which by merely TEXTING you can brick a phone" 4y ago, Stagefright also (soft) bricked Android devices; what is different is that the iMessage vulnerability does not allow the running of unauthorized code, while SF allowed remote code execution.

26. ssallen

Posts: 177; Member since: Oct 06, 2017

For phones that haven't been updated in 3 years there aren't many complaints of bricked devices though huh? Based upon this bug you would think any Android out of service contract would be bricked. Because that is EXACTLY what would happen to any old Apple devices impacted by this.

31. Leo_MC

Posts: 7243; Member since: Dec 02, 2011

(old) Android recovery/iOS DFU -> reinstall the OS = you're good to go. I use phones in my company (they have access to the company cloud, address book, emails, sensitive documents etc); I can't allow 3rd party access to that kind of data.

32. matistight

Posts: 982; Member since: May 13, 2009

I bet you use sprint

2. SPASE

Posts: 261; Member since: May 03, 2013

Too late Alan, this is old news... I sent you guys a tip for this story early this week, but no one followed up, cheers mate

4. Mike88

Posts: 332; Member since: Mar 05, 2019

No it's actually the second time they are posting this news, only in a better way this time

9. clarity

Posts: 54; Member since: Jun 19, 2017

Nah, don't run the latest iOS. Just jailbreak your phone. Much more features and you're safe from these bugs too.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.