Symbolic vulnerability: how a simple message leads to errors in the phone

Frame from the film “The Matrix” (1999)

Against the background of the capabilities of modern smartphones, it is easy to forget that mobile communication is a very old technology. The concept of sending short text messages alone was developed more than 30 years ago. If people started creating SMS in 2018, they probably would not limit one message to 160 characters (in 7-bit encoding).

Communication inherits not only the constraints laid down during creation. Many errors, hidden and obvious, are waiting in the wings for years, starting with the distant mobile past. Over time, new hardware or software flaws are added to them. A modern smartphone is a kind of “Frankenstein silicon creation”, the components of which are created by third-party companies whose code does not fully control Apple and Google.
')
In such conditions, it is not surprising that one of the main drawbacks of modern communications (as well as mobile applications and hardware) is the presence of simple vulnerabilities, leading to the disabling of various devices. A few characters are enough to literally extinguish the screen of the most modern gadget worth more than $ 1000. Year after year, vulnerabilities are exploited again and again. And today we will take a closer look at how this happens.

SMS of death

( c )

Hackers, researchers, and simply curious developers are increasingly switching from simple social engineering to finding more rare attacks that do not require complex interaction with users. Many are already wary of links received from unknown contacts. But most still trust simple text messages received in the form of SMS or via instant messenger.

The absence of a link to a malicious website does not mean that the error cannot be initiated in any other way. Mobile applications to work correctly must understand and correctly display thousands of characters from hundreds of languages. And if these are rare languages ​​with an unusual spelling? The ideal field for the occurrence of vulnerabilities.

An error related to the Unicode character reproduction for the Indian language Telugu has become very popular. The problem arose on some versions of iOS in applications that use the default font San Francisco. Having received only a few characters జ్ఞా, the user lost control over many applications in iOS, including mail and Facebook. If one of the Telugu characters appeared in pop-up notifications, then SpringBoard, the application responsible for the iOS main screen, blocked.

The error of changing characters, leading to the collapse of the system, lies in the particular language of Telugu, Bengali and some other dialects. It consists in the sequential construction of hieroglyphs from the elements of the letter - glyphs, while there is a certain arrangement of characters not characteristic of the language. The transformation of connecting suffixes into consonants leads to a failure: when the second consonant letter of the alphabet syllable alphabet is connected with the Telugu to the first consonant to join without significantly changing the shape of the word. Due to the incompatibility of glyphs, an error occurs that the device processor cannot handle.

Another text message - للصبللصبرر ॣ ॣ h ॣ ॣ 冗 - also causes the iPhone to crash . Some of these errors are associated with the feature of reducing long messages on the screen. If you place some characters in the middle of a text message written in non-Latin language, including Arabic and Chinese, you will be able to cause a system crash and reboot the phone.

In these cases, the culprit was not just Unicode, but Core Text , a system Apple uses to display characters on the phone screen based on the tags found in Unicode. Core Text generates glyphs and positions them relative to each other. The rules for overlaying glyphs one on another are clearly described in the formats TrueType and OpenType.

In the event of an error, Core Text “thinks” that Unicode “asks” him to do what he literally cannot do — display a nonexistent character and create an infinite number of graphemes. When Core Text tries to do what it thinks the instruction means, the process quickly begins to use the entire free amount of RAM. The iPhone “sees” that too much memory is being used, and closes the “guilty” process - Springboard, the desktop of the phone.

Legacy of the past

( c )

Vulnerability exists just as much as text messages exist in the mobile network. Some feature of working with symbols was immediately laid out as a “feature” in order to gain access to extended data on the network or phone using special codes. For example, now on Android, the code * # * # 4636 # * # * provides access to a variety of information, including advanced battery readings and data on a Wi-Fi connection.

Perhaps you caught that moment (2002) when Siemens cell phones were “killed” with a simple text message containing characters like “% English” (or another word from the phone’s language menu, along with quotes and a% character).

When the phone interpreter received an SMS message and proceeded to parse its text, he came across a record identical to any service team. The% English text was interpreted by the phone as a command for changing the menu language. The phone tried to execute this command, but could not, because the processor was busy directly reading the message text.

Many models of Nokia, Siemens, Motorola, LG were subject to attacks via SMS with special texts. Using certain combinations of Unicode characters, you could remotely disconnect or “hang up” the phone.

The Nokia 6210, 3310, 3330 models could be remotely disabled by sending SMS messages with one of the following texts :

0x04 0x05 0x15 0x8A
% RPT
% I :::::. M :::::. G

Motorola C350 and C100 models hung from this text:

0x04 0x05 0x15 0x8A

In addition, the ability to transmit graphics via SMS was actively exploited. Special characters were written in the image code, which the phone could not “read”, which led to the collapse of the system:

% Img ………………
………………………
…………………….

The symbols% IMG meant that after them the image will be displayed on the screen. If instead of characters that the interpreter can later convert to an image, specify an arbitrary sequence of bytes, usually not used to encode images, then in most cases this will cause the phone to hang.

The biggest vulnerabilities

( c )

All devices running Android version were vulnerable to a system crash and unlocking without entering a password on the lock screen. For this it was enough to overload the password entry field with a large number of characters.

Another attack affected 95% of Android devices — about 950 million gadgets in 2015. The error, dubbed "Stagefright" in honor of the media library, turned out to be one of the biggest security holes in Android version 2.2 and higher.

To steal data or take control over the microphone and camera, it was only necessary to send a multimedia message in the form of an MMS with malware. In this case, the user could not know that his device was compromised - a malicious MMS could be deleted remotely. The vulnerability lay in the C ++ code of the Stagefright library, which handled several popular media formats with erratic memory access.

Two sides of the same vulnerability

Usually we are talking about narrow attacks, which affect only one version of the application or only one platform. But there are exceptions. So, specifically for the Safari browser on Apple devices , the site crashsafari.com was created , the URL of which reloaded the browser with the generated very long string of characters in the address field, and with it the entire device. However, Android devices that used the Chrome browser also started to work unstably and were very hot.

There was another error that worked simultaneously for iOS and Android. A text message of four characters arranged in a specific sequence led to problems on iOS 10. This is a white emoji flag, an invisible VS16 symbol (variable sector 16), a zero, and another emoji symbol - a rainbow. The iPhone hung up as soon as it received the text, even if the user did not open or read the message.

The VS16 team automatically merges several emoticons into one specific one that cannot be found in the standard emoji set. After the gadget receives a similar message, iMessage tries to combine two emoticons into one, but VS16 also includes the number zero in the bundle, which is why the device does not cope with the processing of the command and hangs.

It turned out that some Android phones are also subject to this error. However, it was possible to use it only in WhatsApp: the device will freeze if a malicious message is opened in WhatsApp.

---

It seems that the symbolic vulnerability remains the most common and long-lived error of all mobile phones. But there is a sure way to protect - do not skip security updates and independently monitor the relevance of the installed OS version.