Since the iPhone’s introduction in 2007, Apple has spent millions of dollars developing and promoting it as a secure computing device. PHOTO: JAAP ARRIENS/ZUMA PRESS
Apple iPhone May Be Vulnerable to Email Hack
| le 22 April 2020
Sophisticated nature of the attack means users may not realize they have been hit, ZecOps researchers conclude
Sophisticated hackers may be attacking Apple iPhones by exploiting a previously unknown flaw in the smartphone’s email software, according to a digital-security company that has investigated the incidents.
Attacks on the devices that traditionally have enjoyed a solid reputation for safeguarding personal data date back at least two years and would have been virtually undetectable by victims, Zuk Avraham, chief executive of ZecOps Inc., the San Francisco-based cybersecurity company that detected and analyzed the hacks told The Wall Street Journal.
The intrusions are hard to detect because of the sophisticated nature of the attack, and Apple’s own security measures, which can sometimes make investigating the devices a challenge, according to ZecOps.
Typically phone hacks require a user to take a specific action to download malware, such as clicking on a message, or visiting a website. In this case, hackers have found a way to install malicious software without the recipient doing anything. The bug could leave a large number of iPhone’s open to attack, though researchers say it doesn’t appear to have been widely deployed at this point.
Hackers would send a specially crafted email message to gain access to the recipient’s device, said Mr. Avraham, a well-regarded figure in the tightknit community of iPhone security experts. The bug is triggered when the message is downloaded by the phone’s email reader, without further action by the recipient, he said.
ZecOps based its analysis on digital clues left after an attack within the iPhone’s operating system, rather than the malware itself. The company was unable to obtain the malicious code because the emails used to launch the attacks had been deleted from victims’ devices, Mr. Avraham said.
The attack marks the latest setback for Apple iPhone security, which had long been considered the gold-standard for protection of customer data on smartphones. The iPhone’s reputation has suffered over the past year as security researchers have uncovered a series of attack tools—called exploits—that can be used to gain unauthorized access to the iPhone by leveraging bugs in the phone’s software. Hackers typically use exploits to install software on the phone that can then download emails, messages, photos and other sensitive information.
Apple appears to have taken steps to fix the flaw. The U.S. tech giant has patched the mail bug in a test version of its iPhone operating system, but the fix hasn’t yet been widely released through an official IOS update, Mr. Avraham said.
The fact that the patch isn’t broadly available gives users few options to protect themselves from the attack. Mr. Avraham said he has deleted his mail app, out of an abundance of caution, but Mr. Wardle says he doesn’t recommend the practice, given that the attack isn’t believed to be widespread, at present.
ZecOps so far identified six targets for the attacks based on the email vulnerability, whom Mr. Avraham declined to name. They include, he said, employees of a telecommunications company in Japan, a large North American firm, technology companies in Saudi Arabia and Israel, a European journalist and an individual in Germany.
The ZecOps evidence of continuing attacks is compelling, although short of being definitive, said Patrick Wardle, a security researcher at mobile-security company Jamf Software LLC, who has examined ZecOps report on the bug. But it does show that Apple has a serious security issue that needs to be fixed, he said.
Since the iPhone’s introduction in 2007, Apple has spent millions of dollars developing and promoting it as a secure computing device. Experts such as Mr. Wardle consider it to be the most secure consumer device built today.
Still, on Tuesday, Reston, Va.-based security firm Volexity Inc. said that between January and March of this year, hackers had placed a new exploit on websites serving China’s minority Uighur community, a group some Western officials say are being persecuted by Beijing, a charge the Chinese government denies. The company fixed that flaw last summer.
The data vulnerability Volexity found leveraged a flaw in Apple’s browser. For it to work, the user would have to have visited a website controlled by the hackers while using a mobile phone that was running an older version of Apple’s operating system, including IOS 12.3, 12.3.1, and 12.3.2 software. Apple patched the flaw in version 12.4. Apple currently has deployed IOS version 13.4.1.
On its website, Apple says that about 30 percent of users aren’t using the latest version of its IOS. Many of these users would be vulnerable to this attack, said Steven Adair, Volexity’s founder.
An Apple spokesman declined to comment on the Volexity research.
The attack echoes an earlier weakness in iPhone security that Google researchers disclosed in August. Those attacks infiltrated the smartphones of people who visited a small group of hacked websites. The attack code Google’s researchers uncovered took advantage of a total of 14 iPhone bugs. At the time, Apple said that the attacks uncovered by Google weren’t widespread, affecting “fewer than a dozen websites that focus on content related to the Uighur community.”
Because mobile phones contain some of their owner’s most sensitive information—their photos, contacts, text messages and even details of their movements—it is particularly worrisome when they are hacked, Mr. Adair said.