14 DAY TRIAL // Romanian security researcher Bogdan Alecu has identified a Flash SMS (Class 0) flaw in iOS that can be exploited to make the SpringBoard lock screen unresponsive. The expert has described an attack scenario in which the bug can be leveraged by cybercriminals.
The bug has been tested by the expert on various devices running iOS versions prior to 7.1.
The expert has told Softpedia that he believes that the issue is most likely related to how layers created by Flash SMS messages are handled.
When such a message is received, it covers the entire screen. Let’s assume that this message is not dismissed and the device enters sleep mode. If another Flash SMS is received after the phone has entered sleep mode, the lock screen becomes unresponsive when the user tries to unlock it.
The only way to unlock the screen is by rebooting it, or by calling the phone from another device. After the call has ended, the lock screen becomes responsive again.
While this might not seem like a big deal, the bug could be leveraged by cybercriminals in a clever way.
“The attack scenario is indeed a little bit complicated, due to the 2 steps attack: first send a message while phone is awake, then send another one while it is in sleep mode,” Alecu told Softpedia.
“However, one way to attack would be in order to get some financial benefits, just like with ransomware, by asking for money in the body of the class 0 message,” he added.
“Since this type of message does not display the sender number, it makes it even easier to hide your identity, so the attacker could for example send a flash message text saying ‘Call 0900 (premium rate) number if you want your device to be unlocked!’”
The vulnerability was reported to Apple on January 6, 2014, and it was fixed on March 10, 2014, with the release of iOS 7.1. On the other hand, the expert highlights the fact that there are still a lot of people who probably haven’t updated their iOS installations.
According to Apple, the bug affected iPhone 4 and later, iPod touch (5th generation) and later, and iPad 2 and later versions. The vulnerability (CVE-2014-1286) has been addressed “through improved state management.” Apple has credited Alecu in the iOS 7.1 security release notes.
The expert has presented his findings today at Sparks, an infosec conference hosted as part of TechHub Bucharest.
This isn’t the first flaw of this kind identified by Alecu. Back in November 2013, he presented a similar Flash SMS bug affecting Google Nexus devices. At the time, the vulnerability could have been exploited to force devices to reboot.
For a proof-of-concept, check out the video published by the researcher: