Apple has been around creating products that put more focus on users' privacy and digital security. But things can indeed go under the radar, making them often overlooked.
One of which, was when its native iOS Mail app had a vulnerability, which could have allowed hackers to hack iPhones and iPads for years. That according to a report published by the San Francisco-based cyber security firm ZecOps.
The researchers at ZecOps believe that "with high confidence that these vulnerabilities... are widely exploited in the wild in targeted attacks by an advanced threat operator(s)."
Zuk Avraham, ZecOps’ chief executive, said his team believe that at least six high-profile targets have fallen as victims of the exploit.
They include individuals from a "Fortune 500 company in North America", an executive from a mobile carrier in Japan, employees of technology companies in Saudi Arabia and Israel, a European journalist and an individual in Germany.
“With very limited data we were able to see that at least six organizations were impacted by this vulnerability— and the full scope of abuse of this vulnerability is enormous,” ZecOps researchers wrote, declining to name the victims for privacy reasons, and said that it was unable to obtain the malicious code because the email messages are believed to have been remotely deleted by the hackers..
According to the researchers in a blog post:
ZecOps said that it was able to reproduce the hack in its lab after being altered to suspicious crashes on customers’ iPhones in late 2019.
Avraham said that victims would be sent a apparently blank email message through the Mail app, which forced the app to crash and reset. It's the crash that opened the door for hackers to steal what iPhone and iPad users have on their device, including photos and contact details.
Exploiting the vulnerability, hackers can send booby-trapped emails that, in some cases, require no interaction at all and, in other cases, require only that a user open the message, researchers from ZecOps said in a post.
The malicious email uses two different memory overflow bugs in the message-handling library used by Apple’s email app.
Modern email messages are usually formatted as text laid out in a format called MIME, short for Multipurpose Internet Mail Extensions, that allows emails to be split into multiple parts including the message body, embedded images, and attachments such as images, videos, documents and so on. But Apple's MIME-processing library, keeps its data in memory until a certain data size is reached.
This is to ensure that messages it retrieves are small and can be processed quickly. At the same time, it also makes long messages to not slow down the rest of the iOS system by consuming too much RAM.
The Mail bug here, is related to the point at which the MIME software library is switched from caching message data in RAM to caching it on disk.
This way, hackers can run code in the context of the default mail apps, which make it possible to read, modify, or delete messages.
“The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13,” the report reads.
ZecOps also said that the vulnerability, which underlies at least two related iOS zero-day exploits, has existed in the Mail app since at least iOS 6, which was released in 2012.
The flaw had not previously been disclosed to Apple, meaning that it was indeed extremely valuable to a variety of bad actors out there.
Apple has a high standards for digital security. Any exploit program or technique that works against up-to-date iPhones or iPads can be worth more than $1 million.
And not just hackers, as security researchers were also caught interested in the matter. Some started questioning the validity of ZecOps' claim, including Patrick Wardle, an Apple security expert and former researcher for the U.S. National Security Agency, and Jann Horn, a researcher for Google’s Project Zero cybersecurity project.
@ZecOps your writeup says "The suspicious events included strings commonly used by hackers (e.g. 414141…4141).", but that's also what it looks like when you just base64-encode nullbytes; and this is MIME parsing, so you're likely to see base64-encoded data
— Jann Horn (@tehjh) April 22, 2020
At the time, the independent security researchers who reviewed ZecOps’ discovery did find the evidence credible, but said they had not yet fully recreated its findings.
Apple spokesperson then stepped in by disputing Avraham's evidence, saying that the method has not been used against its iOS users.
However, the company acknowledged that a vulnerability existed in Apple’s software for email on iPhones and iPads, and that the company had developed a fix.
Avraham who reported the exploits to Apple in March, said that the Cupertino-based company has already patched the vulnerability in the Mail app beta version 13.4.5.
“To mitigate these issues — you can use the latest beta available. If using a beta version is not possible, consider disabling Mail application and use Outlook or Gmail that are not vulnerable,” wrote ZecOps.
This kind of attack, is called 'zero-days', or vulnerabilities that are known to attackers but not the manufacturer or the general public. In Apple's case, affected users could be around 1 billion, considering that there are about 900 million iPhones active in the wild.
On May 2020, ZecOps researchers updated their findings, saying that after being contacted by "numerous individuals who suspect they were targeted by this and related vulnerabilities in Mail," they found that the case was far from what it seemed.
The researchers found that MailDemon appears to be even more ancient than the they initially thought, suggesting that the trigger for this vulnerability could have been around since iPhone 2g, running on iOS 3.1.3.