The recent “Unicode of Death” has taken over websites, news outlets, and newsfeeds this past week. In a matter of hours, the Apple bug was sent to hundreds of thousands of people, effectively disabling their iPhones, Macs, and iWatches for a short period of time. We began actively monitoring the attack on the iPhones as news broke the morning of May 27th and within 18 hours saw (and blocked) over a quarter of a million SMS messages in North America alone.
It was determined that the Apple Operating system simply could not process the specific combination of “Unicode” – non Latin alphabet characters – in a text message, iMessage, or Tweet, and upon receiving the string of characters the device would freeze and reboot. While not particularly damaging to the actual phone, the user did have to rely on various tricks to get their device working again. By either requesting the sender follow up their original text with a new message; asking Siri to read unread messages and then delete the text; or by logging in to your iCloud account on a Mac or iPad and responding to the original message, the list was exhaustive.
Similar to bugs with other catchy names, like the Venom vulnerability, or even the much more serious Heartbleed vulnerability, the Unicode of Death relied on older computer code and assumptions that had been in place for years before being exposed. But as simple as this seems, the effect of the bug was quite significant. In the week after reddit users revealed the existence of the bug, we determined that over 2.5 million iPhone SMS messages with the Unicode of Death characters were attempted to be sent in the United States, by hundreds of thousands of people. In a country of 318 million people, the mass attraction to this cyberattack is what separates this attack from any other in recent history. Hundreds of thousands of Americans took it upon themselves to “test out” this phenomenon. After one day of monitoring and blocking these messages, we discovered one individual had attempted to send the message nearly 900 times in just 30 minutes. While the majority (92%) of people sent less than 10 messages, the average number of messages sent per person was 4.5.
The social nature of these attacks is the key differentiator here. The senders of these messages genuinely believed this to be an amusing prank – not realizing they were participating in possibly one of the biggest cyberattacks in history. Traditionally defined as an offensive manoeuvre that targets computer information systems, infrastructures, computer networks and personal devices by various means of malicious acts, it has been recorded that cyberattacks are becoming increasingly sophisticated and dangerous. And when you consider that millions of people deliberately tried to crash the technology that their “friends” literally hold closest to themselves, it’s hard to not consider the security implications. If a cyberattack is easy enough to execute, and it’s evident that a sizeable percentage of people will try it (at least as a joke), you have to ask – is there a cyber-attacker in all of us?
As technology progresses, we need to keep in mind the dangers of flaws in older technology and design defences. This Apple Unicode of Death has once again brought into stark relief two very different, but connected, dynamics – the potential for flaws in older computer technology to affect security and human behaviour. As we become more and more attached to our devices, the opportunity to exploit this relationship becomes greater. What is it about this type of detrimental activity that makes over a million people want to “try it out”? By continuously monitoring the networks, we can plan for the previously unlikely or little known threats, as next time it may take more than a Siri command to recover.
Many thanks to Cathal Mc Daid for original contribution.