Millions of iphones Vulnerable to Nasty Email Hacks — What to Do Now (update)

Millions of iphones Vulnerable to Nasty Email Hacks — What to Do Now (update)

Updated with comments from Apple. This article was originally published on April 22, 2020.

Hackers have been remotely attacking iPhones with malicious email messages for at least two years, according to a report from San Francisco-based security firm ZecOps.

Apple plans to fix the underlying flaw in the next release of iOS 13.4.5, but for now, all versions of iOS dating back to at least iOS 6 are vulnerable to these attacks. Since this attack only works against Apple's own Mail app, you can protect yourself by deleting the app until a fix is issued.

However, that may not be necessary. The attack has so far only targeted business leaders, journalists, and corporate security firms, valuable targets who are always at risk of cyberattacks from well-funded adversaries.

Attackers can use these exploits to "compromise, modify, or delete emails," ZecOps said in a blog post on Monday (April 20), but attackers may also be able to take complete control of the devices with additional exploits.

ZecOps researchers exploit that allows hackers to hijack iPhone processes by sending very large email messages, or other system memory-intensive messages. When Apple's own email program runs out of memory, attackers can inject malicious code.

Exploits of two other bugs in iOS are required for the exploit to be fully functional, but ZecOps has so far not disclosed details of those bugs. (This story was first reported by Vice News.)

In an April 23 exchange with Bloomberg News reporter Mark Gurman, Apple said "these issues do not pose an immediate risk to our users."

Apple further stated that the flaws found by ZecOps were "insufficient to bypass iPhone and iPad security procedures" and that it "has found no evidence of their use against customers."

This is not entirely inconsistent with ZecOps' statements. As we saw above, the initial investigation report mentioned two other bugs necessary to hack the Mail. And just because Apple has no evidence of an attack involving these flaws does not mean that they did not occur.

Eating up memory is not that difficult on older iPhones with less RAM - the 2017 iPhone X, for example, has only 3GB - but all models are vulnerable. However, this attack does not work with third-party email apps like Gmail or Outlook.

Surprisingly, iOS 13 is arguably more at risk for these attacks than previous versions of iOS. This is because iOS 13 handles the back-end process of mail processing in a different way.

As a result, iOS 13 can be hacked as soon as an iPhone receives a malicious email message. No user intervention is required.

Prior to iOS 12, it is easy to cause an iPhone to run out of RAM, but for the exploit to work, the iPhone user must open the malicious message, which may cause the Mail app to crash. In either situation, the attacker often remotely deletes the email message so that the target does not see it on his or her device.

According to ZecOps, this attack dates back to at least January 2018, and iPhones with iOS 11.2.2 have been successfully attacked.

"It is also possible that the attacker took advantage of this vulnerability much earlier," ZecOps said.

ZecOps said that the individuals targeted have so far included "individuals from Fortune 500 organizations in North America, executives from [wireless] carriers in Japan, VIPs in Germany, MSSPs [managed security service providers] in Saudi Arabia and Israel, European journalists," and possibly "executives from Swiss companies."

Categories