Two iOS Hacks, Existing Since iOS 6, Caught Exploited in the Wild; Apple Working on Patch
Two new iOS hacks have been discovered by researchers from ZecOps. These vulnerabilities are related to the Mail app and allow remote zero-click attacks, which means that they can work without any user interaction. The surprising thing about this report from ZecOps is that the issue has existed since iOS 6, and has been actively exploited in the wild.
ZecOps, a security company, reported that they had been actively investigating "suspicious events" affecting the default iOS Mail app since January 2018. These investigations revealed a larger problem regarding security vulnerabilities that impact iPhone, iPad and iPod touch, and were being actively exploited against enterprise users and other VIPs.
The attack was being exploited by sending an email the victim. In iOS 12, this email would require a click to trigger, but in iOS 13, this email would trigger the hack without any user interaction. Once the trigger is executed, it gives access to the attacker to run remote code on the iOS device without user intervention. This could not only give the attacker access to the victim's emails, but potentially complete device access.
ZecOps revealed that the following suspected targets have been victims of this attack:
- Individuals from a Fortune 500 organization in North America
- An executive from a carrier in Japan
- A VIP from Germany
- MSSPs from Saudi Arabia and Israel
- A Journalist in Europe
- Suspected: An executive from a Swiss enterprise
The security company also revealed that a "hackers-for-hire" organization has been selling exploits based on this vulnerability, amongst other malicious actors.
The issues are summed up by ZecOps in the below list:
- The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory
- The vulnerability does not necessarily require a large email – a regular email which is able to consume enough RAM would be sufficient. There are many ways to achieve such resource exhaustion including RTF, multi-part, and other methods
- Both vulnerabilities were triggered in-the-wild
- The vulnerability can be triggered before the entire email is downloaded, hence the email content won’t necessarily remain on the device
- We are not dismissing the possibility that attackers may have deleted remaining emails following a successful attack
- Vulnerability trigger on iOS 13: Unassisted (/zero-click) attacks on iOS 13 when Mail application is opened in the background
- Vulnerability trigger on iOS 12: The attack requires a click on the email. The attack will be triggered before rendering the content. The user won’t notice anything anomalous in the email itself
- Unassisted attacks on iOS 12 can be triggered (aka zero click) if the attacker controls the mail server
- The vulnerabilities exist at least since iOS 6 – (issue date: September 2012) – when iPhone 5 was released
- The earliest triggers we have observed in the wild were on iOS 11.2.2 in January 2018
It is important to note that even though macOS also has a native Mail app, it is not vulnerable to these security exploits.
ZecOps shared details and proof-of-concepts of these vulnerabilities with Apple in March, and a patch for these issues was included in iOS 13.4.5 beta. The security company has also verified inclusion of the fix in the new beta update.
Apple has officially confirmed that the issue is fixed in the latest iOS beta and will be available to all users soon. Considering that the issue also impacts older iOS devices, Apple might release security updates for iOS 11 and older versions too.
Until the fix is public, make sure to disable the Mail app on your iOS device and use something like Gmail, Outlook, Spark, or other alternatives.