Security researchers say the iPhone has a severe flaw in the native iOS Mail app that makes it vulnerable to hackers, according to a report published on Wednesday by San Francisco-based firm ZecOps.
The flaw had not previously been disclosed to Apple, making it extremely valuable to a variety of bad actors. ZecOps says it believes “with high confidence that these vulnerabilities… are widely exploited in the wild in targeted attacks by an advanced threat operator(s).”
ZecOps believes that at least six high-profile targets were victims of the exploit, including an executive from a mobile carrier in Japan and “individuals from a Fortune 500 company in North America.” ZecOps is declining to name the victims for privacy reasons, and it says it was unable to obtain the malicious code because the email messages are believed to have been remotely deleted by the hackers.
“The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13,” the report reads. ZecOps says the vulnerability, which underlies at least two related iOS zero-day exploits, has existed in the Mail app since at least iOS 6, which was released in 2012.
At this time, however, it does not appear that ZecOps has public evidence of the exploits being used it feels comfortable sharing, leading some security researchers to question the validity of the claim. That includes Jann Horn, a researcher for Google’s Project Zero cybersecurity project:
@ZecOps your writeup says “The suspicious events included strings commonly used by hackers (e.g. 414141…4141).”, but that’s also what it looks like when you just base64-encode nullbytes; and this is MIME parsing, so you’re likely to see base64-encoded data
— Jann Horn (@tehjh) April 22, 2020
Regardless, what makes this particular exploit so dangerous in theory is that it does not require the victim to download a file or visit a malware-infested website. Instead, all it requires to remotely execute code on a victim’s iOS device is for the Mail app to receive the email and for the victim to open the message.
ZecOps says it reproduced the results of the hack in its lab after being altered to suspicious crashes on customers’ iPhones last summer. It then reported the exploits last month to Apple, which ZecOps says already patched the vulnerability in the most recent beta release of iOS. The fixes are expected to arrive for the non-beta version of iOS in an update to all users the coming weeks. Apple declined to comment on the findings.
“To mitigate these issues — you can use the latest beta available. If using a beta version is not possible, consider disabling Mail application and use Outlook or Gmail that are not vulnerable,” ZecOps writes.