Apple is said to now be planning on fixing security flaws which had plagues its iconic products such as the iPad and iPhone for years which allowed more than half a billion of its devices to be vulnerable to hackers.
The bug was discovered by ZecOps, a San Francisco-based mobile security forensics company while it was investigating a sophisticated cyber-attack against a client that took palce back in late 2019. The CEO of the company, Zuk Avraham said he found evidence the vulnerability was exploited in at least six cybersecurity break-ins.
This prompted Apple to acknowledge the existence of the vulnerability in Apple’s software for email on iPhones and iPads which is known as the Mail app but the tech giant is said to already be on the run to fix this issue and roll out a fix in its forthcoming security update on millions of its iPhones/iPads worldwide.
Apple though declined to make any comment on Avraham’s research which was published today, Wednesday suggesting the flaw could be triggered from afar and that it had already been exploited by hackers against high-profile users.
According to Avraham, he said he found evidence that a malicious program was taking advantage of the vulnerability in the iOS operating system as far back as January of 2018 though he couldn’t determine who the hackers were and his claims couldn’t be independently verified.
In order for the hackers to execute their plans, a blank email message would be sent through the Mail app which would force the app to crash and reset. The crash opens the door for hackers to steal other data on the device such as photos and contact details.
ZecOps claims the vulnerability allowed hackers to remotely steal data off iPhones even if they were running recent versions of iOS. By itself, the flaw could have given access to whatever the Mail app had access to, including confidential messages.
Avraham was formerly an Israeli Defense Force security researcher made it known that the hacking technique was part of a chain of malicious programs, the rest undiscovered which could have allowed an attacker to gain a remote access to an iPhone or iPad but Apple declined to comment on his findings.
ZecOps found the Mail app hacking technique was used against a client last year. Avraham described the targeted client as a “Fortune 500 North American technology company,” but declined to name it. They also found evidence of related attacks against employees of five other companies in Japan, Germany, Saudi Arabia, and Israel.
Based on conclusions on data from “Crash reports” which gets generated whenever a program fails during the middle of an operation, Avraham was able to arrive at his point by being able to recreate a technique that caused the controlled crashes.
The evidence that ZecOps purported were verified by two other security researchers and were found to be credible though they had not yet fully recreated its findings. Apple security expert and a former researcher for the US National security agency, Patrick Wardle said the discovery “confirms what has always been somewhat of a rather badly kept secret: that well-resourced adversaries can remotely and silently infect fully patched iOS devices.”
Because Apple was not aware of the software bug until recently, it could have been very valuable to governments and contractors offering hacking services. Exploit programs that work without warning against an up-to-date phone can be worth more than $1 million. Meanwhile Apple’s reputation as having a high security priority is known throughout the tech industry at large and that had spiraled the popularity of iPhones and iPads globally which any hacking can have an impact on millions of devices worldwide. Bill Marczak, a security researcher with Citizen Lab, a Canada-based academic security research group, called the vulnerability discovery “scary.”
“A lot of times, you can take comfort from the fact that hacking is preventable,” said Marczak. “With this bug, it doesn’t matter if you’ve got a PhD in cybersecurity, this will eat your lunch.” But as the saying goes, no technology is perfect and no software is 100% safe which is why you should always update your iOS firmware to the latest versions whenever updates are rolled out.