A flaw in Apple’s Mail app found on iPhones and iPad, has left devices susceptible to sophisticated attacks for years, ZecOps warns
Apple is at the centre of a rare security scare, after research group ZecOps revealed a bug in the Mail app used by iPhones and iPads, which made devices susceptible to sophisticated attacks.
The problem is very serious, as the researchers said the flaw had been exploited at least six times for high-profile victims by nation state hackers, and Apple had unaware of the flaw for years.
To make matters worse, users do not need to download any external software or visit a website that contains malicious software (i.e malware) in order to become a victim. Apple meanwhile has promised a fix in upcoming updates.
According to the research published by ZecOps, the flaw “allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory.”
It said that the vulnerabilities were triggered in-the-wild, and the vulnerabilities “exist at least since iOS 6 – (issue date: September 2012) – when iPhone 5 was released.”
“Following a routine iOS Digital Forensics and Incident Response (DFIR) investigation, ZecOps found a number of suspicious events that affecting the default Mail application on iOS dating as far back as Jan 2018,” the firm said.
“ZecOps analysed these events and discovered an exploitable vulnerability affecting Apple’s iPhones and iPads,” it added. “ZecOps detected multiple triggers in the wild to this vulnerability on enterprise users, VIPs, and MSSPs, over a prolonged period of time.”
According to ZecOps, the flaw centres on attackers sending a specially crafted blank email through the Mail app, which forces a crash and reset of the Apple device.
The crash then open the door for hackers to steal other data on the device, such as photos and contact details.
And ZecOps also warns the flaw could give access to whatever the Mail app had access to, including confidential messages for example.
And this flaw has been used by attackers in at least six cases, and ZecOps said that suspected victims included individuals from a Fortune 500 organisation in North America; an executive from a carrier in Japan; a VIP from Germany; a journalist in Europe, an executive with a Swiss company, and finally staff of tech firms in Saudi Arabia and Israel.
“We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used ‘as-is’ or with minor modifications (hence the 4141..41 strings),” warned ZecOps.
ZecOps however refrained from attributing these attacks to a specific threat actor.
An Apple spokesman acknowledged to Reuters that a vulnerability exists.
The company said it had developed a fix, which will be rolled out in a forthcoming update.
Security experts warned that the flaw was extremely serious, given that smartphones tend to be highly valuable targets as they offer access to bank accounts, messages, and cloud accounts.
“As we have seen in the past, sophisticated attacks on high value – or high profile – targets aim to leverage exploit chains starting with a one-click or zero-click attack to increase their chances of success,” said Christoph Hebeisen, director of security intelligence research at Lookout.
“Surveillance tooling using such exploits is available for sale and, in some cases, as a service by third parties,” said Hebeisen. “The rising prevalence of such attacks indicates that attackers are becoming increasingly aware that mobile devices are the most valuable targets for surveillance and spying. Not only do these devices offer access to user documents, communications, and cloud accounts, they can also act as a live surveillance tool by virtue of their sensors, such as the microphone, camera, and GPS device.”
“This incident demonstrates how even the most well-maintained, fully upgraded mobile operating systems can be susceptible to attacks and compromise,” said Hebeisen. “Third-party security solutions can detect and defend against the impact of device compromise, malicious apps, and phishing attacks against mobile devices.”
Another expert highlighted the fact that the flaw has been sitting undetected on Apple device since 2012.
“These attacks on iOS devices have been exploited for more than two years by nation states and professional hacking organisations and affect all versions of iOS from as early as 2012,” said Chris Clements, VP of solutions architecture at Cerberus Sentinel.
“The attack affects the built-in iOS Mail app but not other popular emails apps such as Outlook or Gmail,” said Clements. “You must assume that any attacker with enough ability or financial backing has access to sure-fire exploits that can take control of computers or devices running any operating system or application.”
“These exploits are specially designed to go undetected by anti-virus, firewalls, and other front-line security controls,” said Clements. “The only way to defend against such attacks is to have a culture of security with defence in-depth capabilities including close monitoring of security logs and anomalous network traffic.”
Do you know all about security? Try our quiz!