2 min read

Watching a video can crash and freeze any iPhone


November 25, 2016

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Watching a video can crash and freeze any iPhone

When you think of denial-of-service, there’s a good chance you picture the botnet-powered attacks that see attackers bombard websites with so much traffic that they become near-impossible to access.

But denial-of-service describes a much broader range of attacks than that. In its purest form, denial of service means any kind of incident that disrupts usage of a service.

So, if a remote attacker causes your phone to crash and turn itself off that is a denial-of-service.

The point I’m trying to make is that a video that forces your phone to switch off and requires you to do a hard reset is no laughing matter. Although I’m sure many view such an attack as an amusing prank, it’s also a denial of service and could potentially have serious consequences if a victim needed to use their phone urgently, or if somebody was trying to contact them in an emergency.

It’s against this backdrop that I read with interest a report of how a video published on the popular Russian social network, VKontakte, was freezing iPhones.

As YouTuber EverythingApplePro describes in his own (thankfully safe) YouTube video, minutes after watching a seemingly-innocent video an iPhone becomes unusable.

The only thing you can do is force a hard reset on the phone by simultaneously pressing “Home” and “Power” buttons for a few seconds.

If you have an iPhone 7 (which doesn’t have a physical Home button) then you’ll have to press the Power and Volume Down buttons instead.

EverythingApplePro’s video describing the freaky behaviour has been watched over two million times in the last few days, and (predictably) hundreds of thousands of people have clicked on the link to the video that triggers the denial-of-service.

The good news is that the attack does not appear to be permanently harmful. There is clearly something odd about the video’s codec that is causing a bug in iOS’s code to rear its head, and the phone to crash. But that doesn’t mean that the same technique could necessarily be easily used to spread malware, for instance.

And it’s not as though iOS is a complete stranger to denial of service attacks, and there have been comparable incidents in the past.

For instance, last year we described on Hot for Security how a researcher had discovered a way to crash another user’s WhatsApp by sending them a single message containing an “emoji bomb”

Also in 2015, at the RSA Conference, security researchers revealed how malicious hackers could crash any iOS device within range of a Wi-Fi hotspot.

Meanwhile, bug hunters found it was possible to force iPhones to restart just by sending them a carefully-crafted Flash SMS message.

Software is written by programmers. Programmers are (mostly) human, and so they make mistakes. All software of any complexity has bugs, and we’re probably asking too much if we expect a completely bug-free smartphone operating system.

What’s important is that when bugs are found, particularly if they are serious, that they get investigated and fixed in a prompt fashion.

My hope is that soon Apple will release a version of iOS which fixes this particular bug and means that mischief-makers will have to try a little harder to pull pranks on their friends.

And maybe that will also mean that we’re all a little bit safer from suffering a denial-of-service attack on our phones.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like