Update 24/04/2020 at 9:41am: Apple says it has found no evidence that the security vulnerabilities uncovered by ZecOps in the iOS Mail app were used against customers. Further, the company says that the issues, which were on both the iPhone and iPad versions of the app, are “insufficient” to bypass security protections on those devices. The full statement is available below:
“Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”
However, the company’s response directly contradicts the claims of security researchers from ZecOps (details in the original story below). ZecOps said it was confident the flaws were exploited in the wild. Additionally, the researchers detailed how they discovered the exploits in an interview with Motherboard. They found the exploits after looking into a series of suspicious crashes that happened on customers’ iPhones in the summer and fall of 2019. ZecOps claims the investigation into the crashes revealed unknown vulnerabilities in the Mail app.
Further, the targets included an executive at a Japanese telephone carrier, a “VIP” from Germany, managed security service providers in Saudi Arabia and Israel, employees of a North American Fortune 500 company and an executive from a Swiss company.
Apple isn’t the only company to question ZecOps’ claim that the flaws were exploited in the wild, however. Other researchers in the security community, including a researcher at Google’s Project Zero, questioned the claim.
In response to Apple’s statement, ZecOps said it found evidence attackers exploiting the flaw against “a few organizations.” Further, the company said it would share additional technical information once Apple released its software update to the public.
You can read the original report about the vulnerabilities below:
When the next version of iOS 13 drops, you’ll want to update right away. That’s because it will contain a patch for potentially serious security vulnerabilities inside Apple’s Mail default Mail app.
According to research from ZecOps, a small start-up based in San Francisco, California, the two vulnerabilities are ‘zero-day’ and one is a ‘zero-click’ vulnerability. For those unfamiliar with the terms, zero-day security flaws are those that exist in software or hardware and are unknown to manufacturers. Since zero-days for Apple’s locked-down ecosystem are hard to come by, these exploits can be worth millions of dollars.
Zero-click vulnerabilities, on the other hand, require no user interaction to utilize. In other words, an attacker that targets you with a zero-click flaw would not need you to do anything. No clicking on sketchy links or downloading files. ZecOps says the zero-click they discovered is especially dangerous because attackers can exploit it remotely. The startup notified Apple of its findings at the end of March.
A patch for the vulnerabilities is on the way
Both iOS 13 and the previous iOS 12 release are affected by the flaws. However, Apple has already patched the issue in the recent iOS 13.4.5 beta and it should roll out to the public soon. Currently, those on the latest iOS version are using iOS 13.4.1.
The exploits only work with the default iOS Mail app, which means that those using third-party apps like Gmail shouldn’t have to worry. It’s unclear if someone using a Gmail email address with the default Mail app would still be vulnerable. Attackers can exploit the flaw by sending an oversized email to a target. Again, the victim doesn’t have to interact with the email, only receive it for the attack to work. ZecOps notes that some email providers may block such an email.
If attackers successfully execute the exploit, iOS 13 users may experience a temporary slowdown of the Mail app but no other indication. iOS 12 users, on the other, may see the Mail app crash, but that would be the only indication. A follow-up attack can also remove the email from a victim’s device to cover attackers’ tracks.
Vulnerabilities were exploited in the wild, but not on a mass scale
Ultimately, it appears the flaws aren’t ‘polished’ attacks and are more like a cyber smash-and-grab. In an in-depth report from Motherboard about the vulnerabilities, experts told the publication that sophisticated spy agencies would likely deem this kind of exploit too risky for use on a high-value target.
That said, ZecOps believes the flaws were actively exploited in the wild, but not on a mass scale. Instead, attackers chose specific targets to use the exploits on. However, if you believe you were targetted by the attack, deleting the default Mail app from your iPhone could help.
Further, the vulnerabilities could resurface debate over whether Apple is doing enough to secure the iPhone platform. Some believe Apple should make changes to iOS that would allow security researchers more access and improve their ability to detect and stop security flaws. And while Apple has done more in recent months to help security researchers, it continues to keep iOS under a tight lock.