[ad_1]
04/26 Update below. This post was originally published on April 23.
Apple has already released the best iPhone of 2020But now millions of iPhone owners, both old and new, need to be careful because the company has just confirmed a huge iOS security hole that affects almost every iPhone on the planet.
A serious new iOS exploit affects almost all iPhones and has been working for years.
Following the publication of a devastating report from the security company ZecOps (covered here for Forbes), which claimed that every iPhone running a version of iOS 6 or later is vulnerable to remote attacks, Apple now confirmed The problem is real.
04/25 Update: Apple has gone a step further by talking about this security breach and found a controversial answer. In an official statement, the company played down the ZecOps findings, saying: “Apple takes all reports of security threats seriously. We have thoroughly investigated the investigator’s report and, based on the information provided, we have concluded that these problems do not pose an immediate risk to our users. The researcher identified three problems in Mail, but by themselves they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence that they were used against clients. These potential issues will be addressed in a software update in the near future. We value our collaboration with security researchers to help keep our users safe and we will give the investigator credit for their help. “
In response, ZecOps has endorsed its report and issued its own response questioning Apple’s statement. He wrote: “According to ZecOps data, there were triggers in nature for this vulnerability in some organizations. We want to thank Apple for working on a patch, and we look forward to updating our devices once it’s available. ZecOps will release more information and POC once a patch is available. “This additional information will be a fascinating read once iOS 13.4.5 is released. This story seems far from over.
04/26 Update: In an exclusive interview with me, CEO of ZecOps Zuk Avraham has rejected Apple’s statement that it minimizes the vulnerability of iOS mail on iPhones. Avraham claims these are critical points Apple needs to address regarding the discovery:
1. How many triggers were there for this vulnerability (both malicious and non-malicious) since iOS 6?
2. How has Apple confirmed that all of these triggers are not malicious?
3. Following previous evidence of remote attacks that occur in nature on iOS users in multiple cases (Pegasus, Google TAG discovery, etc.). Is Apple planning to improve forensic information so that people can analyze their devices more accurately and continuously (without physical connection to the device)?
Given the remarkably wide potential impact of this iOS vulnerability, I asked these questions directly to Apple, but the company has declined to comment on them saying it is “it doesn’t add anything beyond the statement at this point. “Despite this silence, I hope Apple will accelerate the next version of iOS 13 and I wouldn’t be surprised if an update arrives early next week, the vulnerability is now open. The bigger question, though, is whether Apple will patch older iPhones that aren’t compatible with iOS 13. I hope it will increase pressure for the company to do so.
So what are we dealing with? What ZecOps discovered is a serious vulnerability in Apple’s iOS Mail app that allows an attacker to remotely infect an iPhone and gain control of its inbox. Further, ZecOps not only discovered that the attacks can occur without the iPhone owner’s knowledge, but the triggers have been occurring for more than two years, with the first trigger being subsequently detected in January 2018.
And there’s another kick: ZecOps found that attacks are easier to perform on iOS 13 than previous generations of iOS. For example, ZecOps explains that with iOS 12, an attacker requires the iPhone user to open a malicious email. But with iOS 13, it can be activated without help simply with the Mail app that opens in the background.
ZecOps has released this infographic highlighting the enormous vulnerability of iPhone iOS
The good news? Apple has confirmed to Vice which has managed to patch the vulnerability in the latest beta version of iOS 13.4.5 and it appears that the company will now accelerate its release (with iOS 13.4.1 old updateIt looks like Apple will now skip a few digits unless it deletes a dedicated version of iOS 13.4.2 instead.)
Until then, ZecOps claims that there are two ways to stay safe: disable the email app (Apple has a guide here) and use a third-party app instead. In particular, he discovered that both Outlook and Gmail are not vulnerable to vulnerability, so there is no need to bury your iPhone in a box and throw it into the sea.
That said, none of this hides the fact that a serious vulnerability spanning eight generations of iOS (iOS 6 was released in September 2012) is revealing. It also means that almost every iPhone in use today (Apple claims 1.5 billion active devices, of which iPhones make up the majority) is affected. This is because iOS 6 was released for all iPhones other than the original (released in 2007) and is the successor, the iPhone 3G.
Look at this space, because I hope Apple moves quickly on this.
___
Follow Gordon on Facebook
More about Forbes
Apple iPhone 12: everything we know so far
Apple iPhone SE2: everything we know so far
Apple AirPods Pro Vs AirPods: What’s the Difference?
