Reader Comments

Experts find rare iPhone flaw that lets hackers access iOS remotely

by Percy Caleb (2020-06-14)


Apple's email app for iPhone and iPad may have left hundreds of millions of users data vulnerable to hackers - thanks to an exploit discovered by researchers. 

Security experts uncovered a vulnerability in the Mail app on iOS13 devices, and say it has been users by hackers to steal data 'in the wild' at least six times.

It was spotted by mobile security forensics firm ZecOps, who say it has been used to hack into devices of 'high profile users' and take photos and contact details.

The flaw was acknowledged by Apple, who say they had developed a fix which will be rolled out to millions of devices in the next update. 

According to ZecOps victims are sent an apparently blank email message that forces the device to crash and reset - the crash opens a back door for the hackers.






The exploits are a rare lapse in iOS security that researchers say has been used to hack individuals at American companies and a 'German VIP' (stock)














According to a report from ZecOps which was first highlighted by Motherboard, there are actually a pair of related flaws - both uncovered in iOS 13.

'We concluded with high confidence that it was exploited in the wild,' Zuk Avraham, the founder of ZecOps, told Motherboard. 

'One of [the vulnerabilities] we clearly showed that it can be triggered remotely, the other one requires an additional vulnerability to trigger it remotely.' 

The remote vulnerability is especially dangerous according to researchers since it doesn't require a victim to 'click' or interact with anything in order to be exploited.

While ZecOps didn't elaborate on what, if anything, the hacks stole or who may be using them, the firm did say that they targeted people working for major companies in the US, 'a German VIP', an executive in Japan and a journalist from Europe. 

Avaraham said that the flaws were exploited by 'someone who wants to get privileged access' to a target's device. 

ZecOps says the exploit was leveraged Apple's mail app and was likely purchased from a third-party by a nation-state looking to use the flaw for surveillance. 






RELATED ARTICLES


Previous

1

Next




Interactive map reveals most New York City sidewalks are too... Pocket-sized DNA reader that can detect signs of disease in... When the Earth first moved: Rocks in Australia reveal the... Shape of human TEETH can reveal the owner's genetic history...




Share this article

Share

53 shares



As noted by Motherboard, zero-day exploits like the one discovered by ZecOps are flaws that have not been identified by the companies that they affect and are rarely discovered in Apple's iOS.

Avraham, a former Israeli Defense Force security researcher, said he believes these are just the tip of the iceberg in terms of Apple exploits - adding that the hacking technique was part of a chain of malicious programs.

He said the rest of the exploits were so far undiscovered by security researchers and that they could have given an attacker full remote access. 

Apple declined to comment on that prospect. 

Zero-day flaws are also rarely spotted 'in the wild' meaning they haven't been identified by a company or service. 

This is because they are often used by sophisticated hackers who cover their tracks after leveraging the exploit. 






Zero-day iOS flaws are rarely discovered but are often exploited by nation-states and other organized cyber espionage groups (stock)


Though the exploits aren't likely being used against people en masse, Motherboard says users can safely guard against the flaw by deleting the Mail app from their phones. 

Two independent security researchers who reviewed ZecOps' discovery found the evidence credible, but said they had not yet fully recreated its findings.

Patrick Wardle, an Apple security expert and former researcher for the US National Security Agency, said the discovery formed a 'badly kept secret'.

He said that it has long been known 'that well-resourced adversaries can remotely and silently infect fully patched iOS devices.'

Because Apple was not aware of the software akuntansi gratis bug until recently, it could have been very valuable to governments and contractors offering hacking services. 

Exploit programs that work without warning against an up-to-date phone can be worth more than $1 million.

Apple is seen by cybersecurity experts as having a very high standard of digital security but with 900 million active iPhones in use - there is a large incentive for hackers to find a way into the operating system.  

Bill Marczak, a security researcher with Citizen Lab, a Canada-based academic security research group, called the vulnerability discovery 'scary.'

'A lot of times, you can take comfort from the fact that hacking is preventable,' said Marczak. 

'With this bug, it doesn't matter if you've got a PhD in cybersecurity, this will eat your lunch.'



Read more:

Researchers Say They Caught an iPhone Zero-Day Hack in the Wild - VICE

blog.zecops.com/...