In the near future, hackers could pwn you just by sending your computer or cellphone a random string of emojis, according to cybersecurity researchers. Usually, when hackers find a flaw in a target computer or cellphone, they craft what is called an exploit—a piece of code designed to take advantage of the flaw and take control of the target. Much like any other code, the exploit usually contains strings of letters and symbols.
But it doesn’t have to be that way. During a talk at the hacking conference DEF CON in Las Vegas on Friday, security researchers Hadrien Barral and Georges-Axel Jaloyan said they have found a way to use just a series of emojis to deliver an exploit to a target. The caveat is that there is a specific circumstance that needs to occur for the emoji exploit to work.“The real-life scenario is a bit far-fetched. In very simple terms: say you found a vulnerability, but before getting to the vulnerable part, the hacker input needs to go through an emoji filter. Then, to exploit the vulnerability, the hacker needs an emoji-only input, aka an emoji-only shellcode,” Barral and Jaloyan told Motherboard in an email, referring to the code that gives hackers a “shell,” which is a prompt that hackers can use to send commands to the hacked machine. “What is the probability to have an emoji-only filter? Quite low actually.” Jayolan explained that when sending an exploit to the target, it has to first go through a filter—for example, if a hacker sends their payload through a form that only accepts letters and digits, then the payload should be made of letters and digits. So, for the emoji attack to work, it needs to go through a filter that only accepts emojis, which Jaloyan said does not exist at this point. The two researchers shared with Motherboard an example of an exploit made only of emojis. They also published the technical details of their research on GitHub.
Still, Barral and Jaloyan’s research and proof of concept shows that using emojis to hack targets is indeed possible. “Our talk adds to the state of the art our new method,” the researchers said. “The main contribution is that we have an emoji-only payload which spawns a shell.”The researcher’s idea is to educate both cybersecurity attackers and defenders showing them this is possible, which should push them to change their behavior. “We hope this helps Red teams (pentesters) to apply this new technique to similar problems as well as Blue teams (defenders) to rethink their threat-model and improve malware detection,” the researchers said. During their research, Barral and Jaloyan found that some software has a hard time processing emojis. This doesn’t mean this software can be hacked with emojis, but shows that emojis are novel enough that not all computers and programs support them. “When I tried to print the slides. I managed to crash both the printer and my computer at the same time. Since then, I'm still not able to use the printer for any task!” Jaloyan said. I'll probably have to do a factory reset.”Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.