The bug, which also exists on iPads, was discovered by ZecOps, a San Francisco-based mobile security forensics company while investigating a sophisticated cyber attack against a client that took place in late 2019. Zuk Avraham, CEO of ZecOps, said he found evidence that the vulnerability has been exploited in at least six cybersecurity burglaries.
An Apple spokesperson acknowledged that there is a vulnerability in Apple’s software for email on iPhone and iPad, known as the Mail app, and that the company has developed a patch, which will be rolled out in an upcoming update on millions of devices it has sold worldwide. .
Apple declined to comment on Avraham’s research, released Wednesday, which suggests the flaw could be triggered remotely and that it had previously been exploited by hackers against high-level users.
Avraham said he found evidence that a malware was taking advantage of the vulnerability of Apple’s iOS mobile operating system since January 2018. He could not determine who the hackers were and Reuters was not in able to independently verify their request.
To execute the hack, Avraham said the victims would receive a seemingly blank email message via the Mail app, forcing a crash and a reset. The crash opened the door for hackers to steal other data from the device, such as photos and contact information.
ZecOps says the vulnerability has allowed hackers to remotely steal data from iPhones even if they are running recent versions of iOS. By itself, the flaw could have given access to everything the Mail app had access to, including confidential messages.
Avraham, a former IDF security researcher, said he suspected the hacking technique was part of a chain of malware, the others undiscovered, that could have given an attacker remote access full. Apple declined to comment on this prospect.
ZecOps discovered that the Mail application hacking technique was used against a client last year. Avraham described the targeted customer as a “Fortune 500 North American tech company,” but declined to name him. They also found evidence of related attacks against employees of five other companies in Japan, Germany, Saudi Arabia and Israel.
Avraham based most of his conclusions on “crash reports” data, which are generated when programs fail to run on a device. He was then able to recreate a technique that caused the controlled crashes.
Two independent security researchers who reviewed the ZecOps discovery found the evidence to be credible, but said they had not yet fully recreated its findings.
Patrick Wardle, an Apple security expert and former researcher with the United States National Security Agency, said the discovery “confirms what has always been a rather poorly kept secret: that well-resourced adversaries can infect remotely and silently from fully patched iOS devices. ”
Because Apple was not aware of the software bug until recently, it could have been very valuable to governments and entrepreneurs offering hacking services. Operate programs that work without warning against an outdated phone can be worth more than $ 1 million.
While Apple is widely regarded in the cybersecurity industry as having a high level of digital security, any successful hacking technique against the iPhone could affect millions of people due to the worldwide popularity of the device. In 2019, Apple said there are around 900 million iPhones in active use.
Bill Marczak, a security researcher at Citizen Lab, a Canadian university security research group, called the discovery of vulnerability “frightening.”
“Often you can be reassured that piracy is preventable,” said Marczak. “With this bug, no matter if you have a PhD in cybersecurity, it will eat your lunch. “
Christopher Bing reports in Washingtong and Joseph Menn in San Francisco. Contributions by Jack Stubbs in London and Stephen Nellis in San Francisco; edited by Chris Sanders, Edward Tobin and Sonya Hepinstall
Our standards:Principles of the Thomson Reuters Trust.