Hackers have been remotely attacking iPhones with malicious email messages for at least two years, San Francisco-based security firm ZecOps reports.
Apple plans to fix the underlying flaws in the upcoming release of iOS 13.4.5, but for now, all versions of iOS dating back to at least iOS 6 are vulnerable to these attacks. Because the attacks work only against Apple’s own Mail app, you can protect yourself by deleting the app until the fix is issued.
But that might not be necessary. The attacks have so far been against only business leaders, journalists and corporate security firms, the type of valuable targets who are always at high risk of cyberattack from well-funded adversaries.
The attackers can use these exploits to “leak, modify, and delete emails,” ZecOps said in a blog post Monday (April 20), but the attackers might also be able to get full device control with additional exploits.
ZecOps researchers said that the exploits let hackers hijack an iPhone’s processes by sending a very large email message, or a message that otherwise consumes a lot of system memory. If Apple’s own Mail program runs out of memory, the attackers will be able to inject malicious code.
Exploits of two other bugs in iOS would be required for the exploits to fully work, but ZecOps is not releasing details of those bugs for now. (This story was first reported by Vice News.)
Running out of memory
Eating up memory is not that hard to do on older iPhones that don’t have a lot of RAM — for instance, 2017’s iPhone X has only 3GB — but all models are vulnerable. However, the attack does not work on third-party email apps such as Gmail or Outlook.
Surprisingly, iOS 13 is arguably even more at risk from these attacks than older versions of iOS. That’s because iOS 13 handles the back-end process of email processing in a different way.
The result is that iOS 13 can be hacked as soon as an iPhone receives the malicious email message, and the phone will continue to function normally. No user interaction is needed.
In iOS 12 and earlier, it’s easier to make the phone run out of RAM, but the iPhone’s user must open the malicious message for the exploit to work, and the Mail app may then crash. In either situation, the attackers often remotely delete the email messages so that the targets won’t see them on their devices.
ZecOps said the attacks date back at least to January 2018, when iPhones running iOS 11.2.2 were successfully attacked.
“It is possible that the attacker(s) were using this vulnerability even earlier,” ZecOps said.
The targeted individuals, ZecOps said, have so far included “individuals from a Fortune 500 organization in North America, an executive from a [wireless] carrier in Japan, a VIP from Germany, MSSPs [managed security service providers] from Saudi Arabia and Israel, a journalist in Europe” and perhaps “an executive from a Swiss enterprise.”