A security researcher today released details of a new vulnerability with serious implications for users of nearly all Apple products, but especially the iPhone and iPad. The flaw affects users of all versions of iOS and Mac OS X; and thus all Macs and iOS devices, including the latest MacBook Air and MacBook Pro models. The flaw also appears to affect the Amazon Kindle and many other ebook readers. The Apple TV is not affected.
According to the researcher, Carl Noevil of Applied Conceptual Defense, any device capable of displaying the written word is vulnerable to social engineering attacks that could seriously affect its users. Once the device has been exploited, the attack self-propagates through all copies of the affected materials. Applied Conceptual Defense sells various filtering technologies that protect against the newly discovered vulnerability. Their security advisory states:
“This is one of the most serious vulnerabilities we’ve discovered. The flaw affects nearly all Apple products and we’ve notified Apple, yet Apple has yet to provide any patches or notifications to their customers. We decided to release our findings so users can protect themselves until a fix is available. Current users of our products are fully protected.”
When we queried Noevil for additional information via email, he wrote:
“We couldn’t believe all the potential vectors we found. We were able to completely exploit almost every device and system we attempted to attack. While we mostly focused on Apple, we also proved that the vulnerability affects any device capable of displaying text, and it was trivial to create cross-platform attacks. Considering the severity of this vulnerability, we can’t believe Apple isn’t better protecting their customers. It’s completely irresponsible.”
With maliciously structured combinations of characters, the attacker could spread divisive ideas or disinformation, cause a neurological buffer overflow, or generate an actual emotional response in the user. In extreme cases, an attack could create a disabling cognitive dissonance. That form of the attack has been correlated to actual physical injury if the user has their text display device activated while operating a motor vehicle.
Unlike most security vulnerabilities, these attacks have been correlated to massive damage in the physical world, and they can propagate through both traditional and modern digital communication media. In a blog post the researchers state:
“We’re still analyzing the historical research, but from what we can tell this vulnerability has been around for a very long time. We’ve found cases where it resulted in everything from poor decision making and emotional distress to political upheavals. The entire American Revolutionary War was the result of a variant of this vulnerability, for instance, and our investigations indicate that it may have played a role in the lead-up to the Bolshevik Revolution as well. There are also indications that WikiLeaks is actually a bot designed to exploit this vulnerability, but we haven’t yet finished decompiling all the code.”
The researchers said they focused on Apple due to the popularity and proliferation of Apple products, and plan on releasing further research about the Amazon Kindle, Barnes & Noble Nook, and other trendy products that easily garner press attention. Aside from electronic devices, the vulnerability reportedly also affects printed books, magazines, newspapers, and even billboards.
According to Applied Conceptual Defense, users of their ViewBlock textual filtering technology are not affected, and we’ve seen online comments that wearers of the Joo Janta 200 Super-Chromatic Peril Sensitive Sunglasses are also protected.
Apple did not respond to requests for comments.