teaching machines

iMessage “DoS” Attack

March 31, 2013 by . Filed under cs330, howto, pop computer science, spring 2013.

I would be surprised if I’m the only student in this program who thinks small hacking pranks and minor harmless attacks on unsuspected folks are both fun and educational.

This weekend I learned AppleScript, which for the Mac OS X-impaired folks, that’s a really nice scripting editor that comes standard on all OS X machines. It’s really nice, and really really simple to use. Plus, it gives you root-level access to just about anything you want on your computer. For example, there’s some great code I have that prevents Adobe Activation from checking if you’re registered or not. All you need is a serial number that was valid at some time, run the script, and it’ll just note that it’s okay and never authenticate. Lovely.

But the true fun was with a Denial of Service (DoS) attack that I did this weekend to a few of my contacts, with their permission.

In the name of science.

Take a look at this code:

************

set theTruth to true

repeat while theTruth is true

          tell application “Messages”

               set myid to get id of first service

               set theBuddy to buddy “+15555555555” of service id myid

               send “0000-00FF 0000-00FF 0000-00FF 0000-00FF 0000-00FF 0000-00FF
0000-00FF 0000-00FF 0000-00FF 0000-00FF 0000-00FF 0000-00FF
0000-00FF 0000-00FF 0000-00FF 0000-00FF 0000-00FF 0000-00FF
0000-00FF 0000-00FF ” to theBuddy

          end tell

end repeat

**************

So what’s this doing? Well first of all, it’s setting up an infinite loop. Hopefully you can see why that is occurring. Next it’s saying “Hey Messages, you’re gonna be abused here in a minute, standby.” Then there’s this weird service id thing. Each computer has its own service id, which is somehow cross-referenced with your Apple ID to send messages from your Mac. There’s a really long, complex way to get this id without using a variable like myid, but this way is just faster. The other funny thing here is that if you set the id outside of the repeat, it actually sometimes comes back with errors.

Anyway, after that, I set up a variable of type buddy to their buddy id, and send it from the service id I just got. Then I send them 0000-00FF over and over again. Why that string? Turns out, it’s harder for iOS to handle unicode strings for some reason.

Finally, I end the abuse and tell Messages to stand down.

But then I do it a few thousand more times…just for fun.

What are the implications of this?

Well, the first victim I tried (and I asked their permission to try it on them, assuring them I would stop the attack once I figured out what it could do) was using iMessages on his Mac, which has a hell of a lot more power than an iPhone. All it managed to do on his Mac was tie up his Messages app. When someone texts you there, it instantly comes to your attention. It makes sending messages to other people impossible, while the attack is happening. Fun, but not too much of a DoS attack.

The second one was way better. I sent it to his phone, and I let it run for about 4 minutes. Not only did I completely crash his Messaging app on his iPhone, but he couldn’t text anyone else (iMessages or standard SMS) and he couldn’t make or receive calls. Soon, it crashed his iPhone. Once he got it back on, I had long stopped the attack, but the leftover messages were still coming.

His phone was out of commission for about 2 hours.

So, a few things I learned: