iMessage Denial of Service attack cripples the Apple messaging app
This entry was posted on Monday, April 1, 2013.
Over the last week or two, several iOS developers were hit with a fairly major denial of service attack that piggy backed over Apple’s popular iMessage messaging platform. This DoS attack consisted of a very large number of texts being sent to an iOS device owner that invariably crashed the iMessage app in the device.
For all its popularity, iMessage has lacked some very basic security features. Some of these shortcomings include no ability to block messages coming from a specific sender (something that pretty much every messaging platform, both new and old, from WhatsApp to Facebook Messenger, all seem to allow). Along with that, the fact that anyone knowing a person’s iMessage login ID can send a message (or, as this case proved, cases) to his / her iMessage.
The problem is especially exacerbated with Mac OSX Mountain Lion and iOS 6, given that both phone numbers and email IDs could act as login IDs for iMessages users.
The hackers in question were using multiple spamming IDs to flood iMessage inboxes with messages like ‘Hi’, ‘We are Anonymous, We are Legion’, or large sets of Unicode based messages that made the iMessage app particularly prone to crashing. Because of their use of so many different IDs, even if Apple were to add a blocking feature to iMessage in an update in the near future, it would be rather hard to stop the influx of messages. What’s needed is a limiting mechanism to restrict and bottleneck messages being sent at an abnormal frequency in order to stop this menace.