This week our Managing Director, Dermot Williams, spoke to RTE News about the latest security vulnerability uncovered in Apple devices.
It has been revealed that a flaw in Apple’s email software can allow attackers to remotely compromise iPhone and iPad devices just by sending a specially crafted email containing malicious code.
Users running the latest version of Apple iOS (iOS 13) don’t even need to open the email for the attack to work. The attack causes a phone to reboot but then seem OK afterwards, but provides the attacker with the same level of access to data that the email app has – including the ability to read, delete or even modify email messages. The malicious code deletes the email it arrived in to cover its tracks.
It is unclear whether the exploit can be combined with others to further compromise the device, but email alone can contain very sensitive data including valuable corporate information, password reset links, etc.
Who is vulnerable?
Almost a billion iPhones are in use around the world and the email app is installed by default. Add in all the iPads which run the same software and you are talking about an enormous “attack surface”. This bug has been present in iOS since version 6 (released in 2012) and evidence of attackers using it goes as far back as January 2018. iOS 13.4.1 and below are vulnerable.
How can you protect against this attack?
The latest “beta” release of iOS 13 already has a fix, so users of recent iPhones will be protected by the next general release. People should install this update as soon as they can once Apple release it. Whether Apple will also release an update for users with older iPhones incapable of running iOS 13 remains to be seen.
Hackers are likely to ‘reverse engineer’ Apple’s fix to discover how the attack works, so it is likely that many more attackers will be exploiting this vulnerability before long. Meanwhile the original attackers will know that their “head start” is almost gone and may start to use this security flaw much more widely before it is rendered ineffective by Apple’s imminent update.
Users who read their email using non-Apple email apps such as Outlook and Gmail are not affected. Also, because this is a “buffer overflow” attack which works by sending an oversized email message, businesses may be able to mitigate against attacks on iOS devices linked to corporate email systems by imposing message size limits where their email server supports this.
So why have we not heard about this before?
It appears that those behind these attacks have been using their knowledge of the security vulnerability selectively against a small number of high-value targeted targets to avoid Apple becoming aware of it and fixing it.
So who might that hacker be?
The fact it was used so selectively points to it most likely being a nation-state. There is evidence it was bought from a “hacker for hire” – probably for a considerable sum given the black-market value of “zero day” flaws capable of exploiting iPhones.
A nation state? Do we know who?
The security researchers ZecOps who discovered this flaw being actively used were investigating an attack on an unnamed “Fortune 500 US technology company”, and their subsequent investigations found evidence of related attacks against other organisations in Japan (a carrier), Germany (a ‘VIP’), managed security providers in Saudi Arabia and Israel, and a suspected attack against an executive at a Swiss enterprise. This is based on the limited data available to ZecOps to analyse; there could be many other targets.
Attribution in cyber-attacks is notoriously difficult and unreliable, but adversaries common to the above targets, with known offensive cyber warfare capabilities, include China, Russia, Iran and North Korea.
What happens next?
After Apple fix this flaw, and it is safe to release more details about it, additional organisations may discover they were targeted. Users who previously experienced phone reboots after opening an apparently blank email will particularly be concerned.
Much like people around the world is waiting today for antibody tests to discover whether they have already suffered Covid19, it is possible that Apple might release enough information about this security flaw for security researchers to develop tools to reveal if particular phones were previously targeted. A larger list of targets may make it easier to reliably infer who was behind the attacks.
The existence of this attack may help organisations explain previously inexplicable data leaks, much as happened some years ago when the News of the World voicemail hacking scandal was revealed, and people who had previously blamed family members and friends for leaking sensitive information discovered what had really happened.