Some Cydia Developers Targeted With iMessage Denial Of Service Attack

Over the last few days, we’ve noticed that some of the prominent iOS hackers and Cydia developers have been targeted with what appears to be denial of service attack.

The attacker/s seem to be using the OS X Messages app to send large number of messages in quick succession to their iMessage handle, which in some cases is locking up the Messages app.

The Next Web who got a chance to discuss the issue with the hackers reports:

The messages, likely transmitted via the OS X Messages app using a simple AppleScript, rapidly fill up the Messages app on iOS or the Mac with text, forcing a user to constantly clear both notifications and messages.

In some instances, the messages can be so large that they completely lock up the Messages app on iOS, constituting a ‘denial of service’ (DoS) attack of sorts, even though in this case they appear to be a prank.

Grant Paul aka chpwn, developer of popular jailbreak tweaks such as Zephyr, explains that the attacker can crash a recipients Messages app by sending a complex text message using unicode characters that force a browser to render ‘Zalgo’ text, or simply using a message that is enormous in size.

Here’s a screenshot of the Messages app:

imessage_attack

 

Since it is not possible to block a user from sending the message in the Messages app, the only option the users currently have is to remove the iMessage handle from the Settings temporarily or disable iMessage completely if the attackers have the phone number.

Here’s a screenshot of a small section of a large unicode text block that could crash the Messages app:

imessage_crash

 

The exact motive of the attack is not yet clear, but the report notes that it seems to originate from a handle with a Twitter account that is involved in selling UDIDs, provisioning profiles and into piracy of App Store apps.

As of now the only solution is to wait for Apple to put systems in place to ensure that a user cannot cause a denial of service attack by sending large volume of messages. It also highlights the need to add a blacklist feature to the Messages app so one can block such attacks from a casual spammer or prankster.

The issue doesn’t seem to be widespread but let’s hope Apple takes steps to prevent such attacks with a better spam detection system before it goes out of hand.

Update:

Twitter user DJBANDR tells us that even he was targeted:

Via: The Next Web

  • Anon

    It’s a simple SMS bomb. Easy to make, and is probably a skid from Hackforums. I’m like 90% sure it’s a skid from Hackforums. We have those all over the Hackers section of the site. Many skids download them and use them. Yes, I’ve had some fun with one before to spam an ex girlfriend. I sent her the “nuke” which is 1,000,000 messages. :) She got her number changed the next day. Shame.

    • Damian W

      you are scary dude :P

    • bcsc

      Hello Damani. Nice to see you got the message and started using a bit of privacy. Still, not enough though.

      • Anon

        Who is Damani? kidding. Send me an email on the things I missed. :X

        • bcsc

          You didn’t miss a whole lot, just enough for me to pick Anon out from a crowd. At least you’ve started spelling iOS correctly. It was fun wasn’t it. I’ll quit now

          • Anon

            iOS ;) haha

  • Carpedro

    Couldn’t they use the jailbreak app Iblacklist to block the iMessage number?

    • Anon

      Yep, or bitesms, or Handscent sms. Many ways to block these numbers.

      • Damian W

        you could use these but lets say you dont have it them at the given moment when you need it.

        • Anon

          Well, he could simply jailbreak the device, and then use iBlacklist. But, if he’s on 6.1.3 there is no hope. Link with Google Voice and block the number might be possible. Not sure if it works on any other provider other than Sprint. If neither of those are possible. Might as well change your number.

          • Damian W

            first of iBlacklist is an expensive app, second, it is just better and simpler if apple implements these functions natively. In this case no need to jailbreak. Jailbreaking becomes harder to get every year.

          • Anon

            I was suggesting a temp solution. Also bitesms and handscent are free if you can’t afford iBlacklist.

          • Damian W

            Yeah I know :). I am just always hoping that apple is gonna step up the game as they do with the OSX.

          • Anon

            Yeah hopefully. That would be a great feature to have.

    • Timothée Teneur

      It does clear the notification instantly for any message or incoming call but everything is saved and accessible, so I guess iBlacklist isn’t a solution as the phone will keep crashing.

    • http://www.iphonehacks.com iPhoneHacks

      It should help block pranksters and casual spammers but not someone who has malicious intent as they could keep changing their email id.

      • Anon

        Couldn’t you use the feature to block SMS from everyone not in your contact list? at least for the time being?

  • Damian W

    finally apple has a reason to put blacklist option. You had to create a service attack to convince them. LOL

  • http://www.facebook.com/glenn.hunt1 Glenn Hunt II

    My son sent me an iMessage about 4 months ago with every unicode character possible… He thought it would be cute! Let me tell you, it does lock up and it took me about 10 minutes to get everything working again. Not only did the message app freeze, but the rest of the OS was unresponsive. Lets just say he knows not to send them to me again!

    • Kevin Johansson

      Instead of shouting at him (if that was the case), next time report stuff like this.

      This way someone can do something about it or use it as a possible exploit.

      • http://www.facebook.com/glenn.hunt1 Glenn Hunt II

        Shouting definitely not the case. More like that look that a father gives his son. But I must admit that he was dedicated to get every character on that message.