The iOS 11.4.1 update Apple released Monday was most notable for making it harder for law enforcement to access locked iPhones. On Tuesday, security researcher Patrick Wardle illuminated another fix. He said his fix addressed code Apple added likely to appease the Chinese government; this is the code that caused crashes on certain iDevices when users typed the word Taiwan or received messages containing a Taiwanese flag emoji.
“Though its impact was limited to a denial of service (NULL-pointer dereference), it made for an interesting case study of analyzing iOS code,” Wardle, a former hacker for the National Security Agency, wrote in a blog post. “And if Apple hadn’t tried to appease the Chinese government in the first place, there would be no bug!”
Wardle, who is now a macOS and iOS security expert at Digital Security, said he was perplexed when a friend first reported her fully patched, non-jailbroken device crashed every time she typed Taiwan or received a message with a Taiwanese flag. He had no trouble reproducing the remotely triggerable bug, which crashed any iOS application that processed remote messages, including iMessage, Facebook Messenger, and WhatsApp. Wardle did, however, find that only devices with certain region-specific configurations were affected.
The iPhone’s notorious closed nature made analyzing the bug challenging. It helped to isolating the memory locations that stored a dereferenced null pointer and a faulty instruction that caused it. Wardle also relied on the iPhone’s restore image to pull some of the code libraries. He eventually found that the crashes were being caused by code that classified messages based on emojis they contained. He also noticed that the error seemed to be triggered when iOS had country codes that included China or language settings including Chinese (his friend’s phone specified the region as the US and the language as English, followed by Chinese.)
The discovery ultimately led to a simple fix. Wardle explained:
After two+ years of being unable to type “Taiwan” or being remotely DOS’d anytime her phone received an Taiwanese flag emoji, the fix (kudos to my friend Josh S. for the idea!), was simply to toggle the region from US to China, then back to US.
I’m not 100% sure why (or how this fixed it), but I’m guessing it either set the “Country” value to “US” so the boolean flag (at byte_1b1c9bb00) was set now to 0x1, meaning CFStringCompare()` was never called… or, that the calls to CFLocaleCopyCurrent()/CFLocaleGetValue() no longer returned NULL, meaning a valid string was passed to CFStringCompare().
Wardle traced the likely purpose of the buggy code to documented iOS behavior that hides the Taiwanese flag from the emoji menu or from being displayed on the screen when the region is set to China. Apple didn’t respond to an email seeking comment for this post. Wardle also privately reported the bug to Apple. The flaw was indexed as CVE-2018-4290 and patched in iOS 11.4.1.