Since the iPhone was released in 2007, the device itself, as well as its native applications, has been promoted by Apple as maintaining the highest standards of security. But what if we told you that an unknown flaw in Apple Mail’s software may have compromised your data?
Typically, for an iPhone to be hacked, a user needs to take a specific action to download malware, like clicking on a message or visiting a website. But ZecOps, a San Francisco-based cybersecurity automation company, recently discovered a way that hackers found to install malicious software without the recipient doing anything. As Zuk Avraham, ZecOps’ CEO, stated to The Wall Street Journal, “hackers would send a specially crafted email message to gain access to the recipient’s device. The bug is triggered when the message is downloaded by the phone’s email reader, without further action by the recipient.”
This flaw was identified through a routine iOS Digital Forensics and Incident Response (DFIR) investigation. In the course of this investigation, ZecOps found a number of remote attacks that were carried through Apple Mail dating as far back as January 2018. Even more frightening is that on iOS 13, the attacks merely requires that Apple Mail be open in the background of a user’s device, without even needing to open the malicious email, let alone click on it.
ZecOps notes that, while the data confirms that the exploitative emails were received and processed by victims’ iOS devices, corresponding emails that should have been received and stored on the mail-server were missing. They infer, based on this information, that the malicious emails were deleted intentionally as part of the attack’s operational security cleanup measures. ZecOps believes that, because of the sophistication of the attack, they were likely initiated by at least one nation-state threat operator or nation-state that purchased the exploit from a third-party researcher.
So far, the known targets of this attack include:
While no law firms are included in this list, that does not rule out the possibility that they could have fallen victim to this hack. As ZecOps notes, the data on this attack is still limited, but the scope of this abuse shows that the vulnerability was enormous. The attack’s insidious nature means that users would not have observed any anomalous behavior of their phones, apart from a temporary slowdown of Apple Mail. In failed attacks, the emails that would be sent by the attacker would show the message: “This message has no content.” On iOS 12, a failed attack may also cause Apple Mail to crash.
ZecOps notes that these attacks alone would not provide a hacker with full control of a user’s device. However, the vulnerability allows hackers to leak, modify, and delete emails. Hackers could obtain full device access by leveraging an additional kernel vulnerability—an option that ZecOps is currently investigating.
All tested iOS versions are vulnerable to this attack including iOS 13.4.1, meaning that the same threat operators may still be actively exploiting these vulnerabilities. Although Apple has patched the bug in a test version of its iPhone operating system, the fix has not yet been released widely in an iOS update. If your firm cannot patch to this version, it is critical to ensure that your users do not use Apple Mail in the meantime. Firms using ZERØ or any other mobile email client on an iPhone would not be susceptible to this data breach.
In the future, it is important to note that, because of its widespread usage, Apple Mail will always be a popular target for malicious actors. ZERØ’s email client has been designed exclusively for law firms, with the security features they need to avoid such a hack from compromising a law firm’s data. In addition to being extremely secure, ZERØ also enables users to streamline administrative processes like filing emails to document management systems and capture time spent interacting with client email on mobile devices. Contact us today to learn how ZERØ can help your firm keep its users’ data safe on mobile devices while providing them with AI-powered productivity features.
To learn more about this hack, read ZecOps’ detailed blog post here.
Update: As of April 24, Apple is claiming that there is no evidence of cyber-attackers exploiting this vulnerability. ZecOps still maintains that the vulnerability it had found had been exploited against “a few organizations.”