MANILA, Philippines – A bug on iOS’s default Mail app can be used to get into users’ email and devices, US-based cybersecurity firm ZecOps revealed, Monday, April 20. 

The bug, through both iPhone and iPad devices, has been exploited in a number of suspicious events dating all the way from January 2018, the firm said. The attack pattern starts with a “specially crafted email” to a target’s inbox, which is then able to trigger the vulnerability in the Mail app. 

“Successful exploitation of this vulnerability would allow the attacker to leak, modify, and delete emails,” said the firm. The firm added that there is also another vulnerability they’re looking at currently, which may provide full device access to the attacker. 

The team also found that the exploit emails were no longer found on the mail server, inferring that the attack emails were “deleted intentionally as part of attack’s operational security cleanup measures.” Typically, the emails would be received and stored on the device and the mail server, the firm explained. 

ZecOps also said that the attacks may be linked to at least one “nation-state threat operator,” which purchased the knowledge on using the exploit from a third party. 

iOS versions that were tested to be vulnerable run from 2012’s iOS 6 to the current newest official version, iOS 13.4.1, released just in March 2020. The firm said they didn’t test earlier versions but didn’t remove the possibility that those could be exploitable too. 

Attack trajectory

Succesfully attacking iOS 12 users requires that the target clicks on an email. Once the email is clicked, the victim “does not need to open an attachment and just viewing the email is sufficient to trigger the attack.” But the firm warns that there is also a way for hackers to require no user interaction to trigger the exploit “if the attacker controls the mail server.”

On iOS 13, “attackers may try multiple times to infect the device silently and without user interaction.” 

In their investigations, ZecOps said they have found suspected targets that were attacked through the exploit:

• Individuals from a Fortune 500 organization in North America
• An executive from Japan 
• A VIP from Germany
• Network security service providers from Saudi Arabia and Israel
• A journalist in Europe
• An executive from a Swiss enterprise

Upcoming patch?

An upcoming version of iOS, 13.4.5, has a patch for these vulnerabilities, but is currently in beta version through Apple’s beta program.  In general, it isn’t advisable to run an OS in beta on your primary device as there may be unforeseen errors. ZecOps advises the use other mail apps such as Gmail and Outlook, and disable the iOS mail app. 

Signs to look for that may indicate an attack include a temporary slowdown of the Maiil application or a sudden crash of the Mail application on iOS 12. On iOS 13, there would also be a temporary slowdown. These signs, however, may be very hard to spot as they could also be symptoms of other device or OS issues. 

In failed attacks, the firm said that the exploit emails sent to the target would show the message “This message has no content.” Devices with lower RAM may be easier to exploit too, with the firming listing the iPhone 6 with 1GB RAM, iPhone 7 with 2GB RAM, and iPhone X with 3GB RAM as vulnerable. This is because the exploit needs to “drain every last bit of RAM” to trigger the bug. The less RAM there is to drain, the higher the chances of working. MacOS is not vulnerable to the exploit. 

ZecOps warns that with news of the bug going public, attackers will attack as many devices as possible until the bug is completely patched. 

“With very limited data we were able to see that at least six organizations were impacted by this vulnerability – and the potential abuse of this vulnerability is enormous. We are confident that a patch must be provided for such issues with public triggers ASAP,” said ZecOps.

Vice reported that Apple will be patching it in the next public release of iOS. – Rappler.com