A computer bug, discovered by San Francisco-based ZecOps, a mobile security forensics company while it was investigating a sophisticated cyberattack against a client that took place in late 2019, has left 500M iphone and iPad users vulnerable to cyberattacks.
Zuk Avraham, ZecOps’ CEO said, he found evidence that the vulnerability has been exploited in at least six cybersecurity attacks.
Acknowledging the existence of the exploitable vulnerability, Apple’s spokesman said it has developed a fix for its Mail app, which it will rollout in a forthcoming update globally.
Apple declined to comment on Avraham’s research, which was published on Wednesday, that goes to suggest that the vulnerability could be remotely exploited and that there are real word incidents of hackers using it to target high-profile users.
Avraham has come up with evidence that shows a malicious program exploiting the vulnerability in Apple’s iOS mobile operating system dating back to January 2018.
To execute the hack, victims would be sent an apparently blank email message which on opening would crash Apple’s Mail app forcing a reset. This crash and reset essentially allows hackers to take control of the device and steal data sitting in the device, including photos and contacts.
According to ZecOps, the vulnerability even allows hackers to remotely steal data from iPhones even if they were running the latest version of Apple’s iOS.
Avraham, a former Israeli Defense Force security researcher, said he suspected that the hacking technique was part of a chain of malicious programs, the rest undiscovered, which could have given an attacker full remote access.
ZecOps discovered that the technique was used against a client in 2019. He described the targeted client as a “Fortune 500 North American technology company,” and declined to name it. ZecOps also found evidence of related attacks against employees of five other companies in Japan, Germany, Saudi Arabia, and Israel.
Most of Avraham’s conclusions came from data from “crash reports,”. He has been able to recreate a technique that caused the controlled crashes.
According to two independent security researchers who reviewed ZecOps’ discovery, they found the evidence credible although they could not fully recreate the findings.
According to Patrick Wardle, an Apple security expert and former researcher for the U.S. National Security Agency, the discovery “confirms what has always been somewhat of a rather badly kept secret: that well-resourced adversaries can remotely and silently infect fully patched iOS devices.”
Bill Marczak, a security researcher with Citizen Lab, a Canada-based academic security research group, called the vulnerability discovery “scary.”
“A lot of times, you can take comfort from the fact that hacking is preventable,” said Marczak. “With this bug, it doesn’t matter if you’ve got a PhD in cybersecurity, this will eat your lunch.”