Defect on iPhone, iPads may have allowed hackers to steal data for years

WASHINGTON / SAN FRANCISCO – Apple Inc. is planning to fix a bug that, according to a security company, could have left more than 500 million iPhones vulnerable to hackers.

The bug, which also exists on iPads, was discovered by ZecOps, a San Francisco-based mobile security forensics company, while investigating a sophisticated computer attack on a client that took place in late 2019. Zuk Avraham, CEO of ZecOps He said he found evidence that the vulnerability was exploited in at least six cybersecurity thefts.

An Apple spokesperson acknowledged that there is a vulnerability in Apple’s email software on iPhones and iPads, known as the Mail app, and that the company had developed a solution, which will be implemented in an upcoming update on millions of devices that has sold worldwide. .

Apple declined to comment on Avraham’s investigation, which was released Wednesday, suggesting that the flaw could be triggered from afar and that hackers had already exploited it against high-profile users.

Avraham said it found evidence that a malicious program was exploiting the vulnerability in Apple’s iOS mobile operating system since January 2018. It was unable to determine who the hackers were and Reuters was unable to independently verify their claim.

To execute the hack, Avraham said victims would be sent an apparently blank email message through the Mail app forcing a crash and restart. The accident opened the door for hackers to steal other data on the device, such as photos and contact details.

ZecOps claims that the vulnerability allowed hackers to steal data remotely from iPhones, even if they were running recent versions of iOS. By itself, the flaw could have given access to anything the Mail app had access to, including confidential messages.

Avraham, a former security investigator for the Israel Defense Force, said he suspected the hacking technique was part of a chain of malware, the rest undiscovered, which could have given an attacker full remote access. Apple declined to comment on that prospect.

ZecOps discovered that the Mail app hacking technique was used against a client last year. Avraham described the target customer as a “North American Fortune 500 technology company,” but declined to name it. They also found evidence of related attacks on employees of five other companies in Japan, Germany, Saudi Arabia, and Israel.

Avraham based most of its conclusions on “crash reporting” data, which is generated when programs fail mid-task on a device. Then he was able to recreate a technique that caused the controlled accidents.

Two independent security researchers who reviewed the ZecOps discovery found the evidence credible, but said they had not yet fully recreated their findings.

Patrick Wardle, Apple security expert and former investigator for the US National Security Agency. The US said the discovery “confirms what has always been a rather poorly kept secret: that adversaries with sufficient resources can remotely and silently infect fully patched iOS devices.”

Because Apple wasn’t aware of the software bug until recently, it could have been invaluable to governments and contractors offering hacking services. Exploit programs that work without warning against an updated phone can be worth more than $ 1 million.

While Apple is largely seen within the cybersecurity industry as a high standard for digital security, any successful iPhone hacking technique could affect millions due to the device’s global popularity. In 2019, Apple said there were around 900 million iPhones in active use.

Bill Marczak, a security researcher at Citizen Lab, a Canadian-based academic security research group, called the discovery of the vulnerability “scary.”

“Many times, you can take comfort in the fact that piracy is avoidable,” said Marczak. “With this mistake, it doesn’t matter if you have a doctorate in cybersecurity, this will eat your lunch.”