Flaw in iPhone, iPads may have allowed hackers to steal data for years

The new iPad Pro with augmented reality capabilities. Picture: Apple via AP

The new iPad Pro with augmented reality capabilities. Picture: Apple via AP

Published Apr 22, 2020

Share

Washington/San Francisco - Apple Inc

is planning to fix a flaw that a security firm said may

have left more than half a billion iPhones vulnerable to

hackers.

The bug, which also exists on iPads, was discovered by Zuk

Avraham, chief executive of San Francisco-based mobile security

forensics company ZecOps, while investigating a sophisticated

cyberattack against a client in late 2019. Avraham said he found

evidence the vulnerability was exploited in at least six

cybersecurity break-ins.

An Apple spokesman acknowledged that a vulnerability exists

in Apple’s software for email on iPhones and iPads, known as the

Mail app, and that the company had developed a fix, which will

be rolled out in a forthcoming update on millions of devices it

has sold globally.

Apple declined to comment on Avraham’s research, which was

published on Wednesday, that suggests the flaw could be

triggered from afar and that it had already been exploited by

hackers against high-profile users.

Avraham said he found evidence that a malicious program was

taking advantage of the vulnerability in Apple’s iOS mobile

operating system as far back as January 2018. He could not

determine who the hackers were and Reuters was unable to

independently verify his claim.

To execute the hack, Avraham said victims would be sent an

apparently blank email message through the Mail app forcing a

crash and reset. The crash opened the door for hackers to steal

other data on the device, such as photos and contact details.

ZecOps claims the vulnerability allowed hackers to remotely

steal data off iPhones even if they were running recent versions

of iOS. By itself, the flaw would given access to whatever the

Mail app had access to, including confidential messages.

Avraham, a former Israeli Defense Force security researcher,

said he suspected that the hacking technique was part of a chain

of malicious programs, the rest undiscovered, which could have

given an attacker full remote access. Apple declined to comment

on that prospect.

Avraham based most of his conclusions on data from “crash

reports,” which are generated when programs fail in mid-task on

a device. He was then able to recreate a technique that caused

the controlled crashes.

Two independent security researchers who reviewed ZecOps’

discovery found the evidence credible, but said they had not yet

fully recreated its findings due to time constraints.

Patrick Wardle, an Apple security expert and former

researcher for the U.S. National Security Agency, said the

discovery “confirms what has always been somewhat of a rather

badly kept secret: that well-resourced adversaries can remotely

and silently infect fully patched iOS devices.”

Because Apple was not aware of the software bug until

recently, it could have been very valuable to governments and

contractors offering hacking services. Exploit programs that

work without warning against an up-to-date phone can be worth

more than $1 million.

While Apple is largely viewed within the cybersecurity

industry as having a high standard for digital security, any

successful hacking technique against the iPhone could affect

millions due to the device’s global popularity. In 2019, Apple

said there were about 900 million iPhones in active use.

Bill Marczak, a security researcher with Citizen Lab, a

Canada-based academic security research group, called the

vulnerability discovery “scary.”

“A lot of times, you can take comfort from the fact that

hacking is preventable,” said Marczak. “With this bug, it

doesn’t matter if you’ve got a PhD in cybersecurity, this will

eat your lunch.” 

Reuters

Related Topics:

apple