A couple of days ago a Reddit user revealed an iphone exploit that allowed a remote user to crash the SMS application by sending a specially crafted text message.
Here it is.
effective. Power لُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ
What’s remarkable about this exploit is its simplicity. If you copy and paste the text above into an SMS message the SMS app on the recipient’s iPhone will crash and refuse to reopen.
Please don’t do this to people you haven’t agreed to try it with or they will be justifiably angry with you. If you ignore this there are plenty of instructions online that describe how to fix the problem.
As a healthcare technology professional, this type of exploit leaves me very concerned. Is there any chance of data theft? How large is the “attack surface” and how many users could be affected? Is there any potential for denial of service?
In a 2014 survey, the Spyglass Group noted that more than 92% of physicians were using text messages to communicate protected health information on a routine basis. Could this data be stolen using this exploit?
It appears not. Reverse engineering of the code demonstrates that there is very little potential for data loss, although if your phone is jailbroken the situation is considerably less clear.
There is still the possibility of extreme disruption.
Imagine an answering service that pages after-hours physicians. Receiving a message that locks up the phone at 3 o’clock in the morning would be extremely annoying, and getting hold of a technical support person would be difficult. Meanwhile, the patient might get lost in the mix.
With a little creativity it’s easy to make the situation a whole lot worse.
All service providers allow for SMS via email using standardized email addresses based on the phone number. An enthusiastic attacker could use a botnet to send email into these gateways via mail relays and simply run through all of the 10 digit combinations within the US.
A more sophisticated attacker might choose areas around luminary medical centers to significantly reduce the address space. A couple of hours later there would be major problems as everybody’s phone in the hospital resets.
We’ve been extremely lucky this time round. There’s little chance of data theft and most users can easily work around the bug while Apple takes their own sweet time to patch it.
Next time could be a whole lot worse. This wakeup call should be making you think about how you plan to protect your practice and your patients.
So, what can you do?
- If you are a healthcare professional do not jailbreak your iPhone. Running untested and unvalidated software on a device that is used for patient care is a very bad idea. There are a large number of exploits and malware that will be targeted squarely at you. Do you really want to take that risk?
- I know this isn’t going to be easy, but friends don’t let friends use SMS to transfer protected health information. There just isn’t enough protection on the device to be able to stop data loss in situations like the SMS bug.
- Pressure your IT department to select and implement a third party HIPAA compliant messaging app. Organize your colleagues to do the same.
- For solo providers look into something like Tiger Text. It’s affordable and compliant for use with patients and other providers.
Texting is easy, but it’s just not secure. Let’s consider the iPhone bug as a stern warning, and push on our technology providers to give us better solutions going forward.