Healthcare Interoperability

Hey Dr! Did your iPhone just crash?

A couple of days ago a Reddit user revealed an iphone exploit that allowed a remote user to crash the SMS application by sending a specially crafted text message.

Here it is.

 effective. 
      Power
           لُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ

What’s remarkable about this exploit is its simplicity. If you copy and paste the text above into an SMS message the SMS app on the recipient’s iPhone will crash and refuse to reopen.

Please don’t do this to people you haven’t agreed to try it with or they will be justifiably angry with you.  If you ignore this there are plenty of instructions online that describe how to fix the problem.

As a healthcare technology professional, this type of exploit leaves me very concerned.  Is there any chance of data theft? How large is the “attack surface” and how many users could be affected? Is there any potential for denial of service?

In a 2014 survey, the Spyglass Group noted that more than 92% of physicians were using text messages to communicate protected health information on a routine basis.  Could this data be stolen using this exploit?

It appears not.  Reverse engineering of the code demonstrates that there is very little potential for data loss, although if your phone is jailbroken the situation is considerably less clear.

There is still the possibility of extreme disruption.

Imagine an answering service that pages after-hours physicians. Receiving a message that locks up the phone at 3 o’clock in the morning would be extremely annoying, and getting hold of a technical support person would be difficult. Meanwhile, the patient might get lost in the mix.

With a little creativity it’s easy to make the situation a whole lot worse.

All service providers allow for SMS via email using standardized email addresses based on the phone number. An enthusiastic attacker could use a botnet to send email into these gateways via mail relays and simply run through all of the 10 digit combinations within the US.

A more sophisticated attacker might choose areas around luminary medical centers to significantly reduce the address space.  A couple of hours later there would be major problems as everybody’s phone in the hospital resets.

We’ve been extremely lucky this time round.  There’s little chance of data theft and most users can easily work around the bug while Apple takes their own sweet time to patch it.

Next time could be a whole lot worse.  This wakeup call should be making you think about how you plan to protect your practice and your patients.

So, what can you do?

Texting is easy, but it’s just not secure.  Let’s consider the iPhone bug as a stern warning, and push on our technology providers to give us better solutions going forward.