iPhone: Certain character combination triggers SpringBoard restart
A central iPhone system process can be crashed by entering a short sequence at one point in the system. It also causes trouble in other search fields.
A bug in the iPhone (symbolic image).
(Image: Mac & I / PD)
A German security researcher with the handle @kpwn@infosec.exchange has discovered a short text sequence that can be used to partially crash current iPhones. This could – at least theoretically – be exploited for denial-of-service attacks. Apple has fixed the problem, possibly by accident, in iOS 18, at least in a central location, but it still occurs in other areas.
Four characters are enough
To provoke the crash, you first have to go to the app library, which you can find by swiping all the way to the right from the home screen. In the search field that appears there, you need to enter two quotation marks (by pressing and holding the corresponding button to avoid triggering "quotation marks down") plus two colons. It also seems to be sufficient to enter another character instead of the second colon or to use several words including spaces between the quotation marks.
The SpringBoard, Apple's central iOS process that manages the home screen, among other things, crashes immediately after the input. Fortunately, the iPhone itself can still be used, after a few seconds the SpringBoard respawn is complete and the system is back up and running. It is still unclear what exactly causes the problem – and whether the crash will result in further vulnerabilities.
iOS 18 not affected – partially
We were unable to reproduce the problem under iOS 18 beta versions 6 and 7; Apple has apparently made changes here. The regular system search Spotlight is also not affected under iOS 17 or 18. However, there are other search fields that do not like the character string. Under iOS 17 and iOS 18, it was possible to use it to close the Control Panel, but this does not cause the SpringBoard to crash and respawn. Messaging apps are also not affected.
Crashes caused by problematic character strings are not a new phenomenon under iOS; in 2022, for example, the Safari browser could be shut down. However, Apple was able to fix this with a server-side change. The new phenomenon, on the other hand, requires a fix from the operating system.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
