Unicode vulnerability is a specific text message which exploits a user`s attention because a text bomb which can paralyze all Apple products such as iPhone, iPad, Mac, Apple watch and Apple TV is found one after another. There are no similar bugs found on the Android OS, so it is wondering about the completeness of iOS `stability and security.

According to Mobile World on February 17, Italian security experts Vittorio and Angelo have discovered the iPhone attack method using telugu and released it on the homepage and YouTube.

Telugu is a Dravidian language used by about 70 million people in northern India. If an attacker sends a specific telugu string to an Apple device user, it can download all message apps and email systems with a text transfer window, such as KakaoTalk line, Facebook messenger, Watts app, and Twitter. Even after the app breaks, the device itself fails to operate normally.

Also, this causes memory overload in the decoding process to recognize a specific string of Unicode characters. Currently, all versions of iOS are unable to attack telegraphic characters. Apple is aware of this late and will fix the problem with the upcoming iOS 11.3 official patch.

This vulnerability can be exploited by an attacker to harass a targeted user or cause confusion with random spamming via SNS. When some Arabic unicode bugs were found similar to this case in 2015, when some attackers showed up on the portal comment window and SNS, the devices of users who saw this happened to all of them, and it was nicknamed `iPhone EMP attack`.

Just a month ago, software developer Abraham Masri found a vulnerability called "Difference OS" that caused the device to reboot or crash with a specific URL address letter and informed Apple. At that time, Apple did not answer any of the questions, so the discoverer revealed it to the code-sharing site "Herb". Since then, Apple has provided security patches through iOS 11.2.5.

Meanwhile, Lee Hee-joo, a professor of computer engineering at Korea University (IoT • Director of SW International Security Cooperation Research Center), said, "This attack method works because the unexpected Unicode input value cannot be exceptionally handled by the device. It is a principle that overflows the domain. "Although it does not cause damage such as leakage of personal information, it can detect other additional vulnerabilities of the OS through attack from hackers` position." He stated.

By Lee Gyung Tak kt87@


[ copyright ⓒ The Digitaltimes ]