Industry News

Watching a video can crash and freeze any iPhone

When you think of denial-of-service, there’s a good chance you picture the botnet-powered attacks that see attackers bombard websites with so much traffic that they become near-impossible to access.

But denial-of-service describes a much broader range of attacks than that. In its purest form, denial of service means any kind of incident that disrupts usage of a service.

So, if a remote attacker causes your phone to crash and turn itself off that is a denial-of-service.

The point I’m trying to make is that a video that forces your phone to switch off and requires you to do a hard reset is no laughing matter. Although I’m sure many view such an attack as an amusing prank, it’s also a denial of service and could potentially have serious consequences if a victim needed to use their phone urgently, or if somebody was trying to contact them in an emergency.

It’s against this backdrop that I read with interest a report of how a video published on the popular Russian social network, VKontakte, was freezing iPhones.

As YouTuber EverythingApplePro describes in his own (thankfully safe) YouTube video, minutes after watching a seemingly-innocent video an iPhone becomes unusable.

The only thing you can do is force a hard reset on the phone by simultaneously pressing “Home” and “Power” buttons for a few seconds.

If you have an iPhone 7 (which doesn’t have a physical Home button) then you’ll have to press the Power and Volume Down buttons instead.

EverythingApplePro’s video describing the freaky behaviour has been watched over two million times in the last few days, and (predictably) hundreds of thousands of people have clicked on the link to the video that triggers the denial-of-service.

The good news is that the attack does not appear to be permanently harmful. There is clearly something odd about the video’s codec that is causing a bug in iOS’s code to rear its head, and the phone to crash. But that doesn’t mean that the same technique could necessarily be easily used to spread malware, for instance.

And it’s not as though iOS is a complete stranger to denial of service attacks, and there have been comparable incidents in the past.

For instance, last year we described on Hot for Security how a researcher had discovered a way to crash another user’s WhatsApp by sending them a single message containing an “emoji bomb”

Also in 2015, at the RSA Conference, security researchers revealed how malicious hackers could crash any iOS device within range of a Wi-Fi hotspot.

Meanwhile, bug hunters found it was possible to force iPhones to restart just by sending them a carefully-crafted Flash SMS message.

Software is written by programmers. Programmers are (mostly) human, and so they make mistakes. All software of any complexity has bugs, and we’re probably asking too much if we expect a completely bug-free smartphone operating system.

What’s important is that when bugs are found, particularly if they are serious, that they get investigated and fixed in a prompt fashion.

My hope is that soon Apple will release a version of iOS which fixes this particular bug and means that mischief-makers will have to try a little harder to pull pranks on their friends.

And maybe that will also mean that we’re all a little bit safer from suffering a denial-of-service attack on our phones.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Yes, it is true that programmers are human and subject to error. However, we tend to have several problems creating bug-free and secure software that go beyond the "to err is human, but to REALLY screw up, you need to use a computer" paradigm. First, in an ideal world, the correctness of any program should not be reliant on any one single programmer. Especially in organizations like Apple, many people should be checking and validating all code written, with the aim of finding the inevitable flaws in it then correcting it, and doing it in an iterative loop until there aren't any perceptible bugs left. Unfortunately, nobody ever seems to want to take the time required to do this. Second, any dweeb who claims to be a programmer can be hired as one by any company, and never have a clue about how to write secure code. The results speak for themselves. Finally, it occurs too often that the management of companies takes the attitude that "we've got to get the product out NOW!", or in other words, don't worry if it's buggy, we'll fix it later. Since we live in a world in which everything runs on software, in light of the above, there is no question in my mind that we are ultimately doomed to have our "civilization" come crashing down around our ears in the not too distant future unless we wake up and start learning how to create reliable, safe and bug-free software. Frankly, I'm not holding my breath.

  • It really does amaze me the amount of stories that you hear about apple's security issues. For one of the biggest companies in the world not to get such a fundamentally important area correct is baffling. I really dont understand it. I had an iPhone and I loved it, I worked on a Mac and I loved it. Both got hacked and I lost everything. I have been with a different supplier for the last 5 or 6 years now and I have had nothing close to a security issue.