A newly-discovered security flaw in the iOS default Mail app is technically a “zero-day,” but one that researchers believe has been in use in the wild for some time now. The new iPhone vulnerability can be exploited by simply sending an email formatted in a particular way; the victim does not have to click on an attachment or follow a link, they can be compromised if they simply open iOS Mail with the attack message present in their inbox.
This vulnerability was discovered in the most recent release of iOS 13, but research indicates that it has been present at least since iOS 6 was released in September of 2012.
May have been exploited for at least two years before discovery
The iPhone vulnerability was discovered by researchers at ZecOps, a cybersecurity firm based in San Francisco. The researchers happened upon the exploit during a routine forensic examination of iOS for a client. The team then found markers of the use of this exploit in the wild dating back to January 2018.
The researchers believe that at least one advanced persistent threat (APT) group is aware of this vulnerability and has been actively using it against victims for some time now. No specific companies were named, but ZecOps indicated that individuals from a Fortune 500 company, a number of executives in various industries around the world and journalists in Europe have been targeted.
The dates provided are based on ZecOps’ testing and research, which is not comprehensive. The researchers note that it is possible that this exploit was used prior to 2018, and that it was present in iOS prior to version 6.
All versions of iOS, including the most recent as of this writing, are vulnerable. Apple intends to patch the issue with the release of iOS 13.4.5; the beta version (with patch included) is available now. MacOS is not vulnerable.
ZecOps has notified Apple of the vulnerability and it is scheduled to be patched out in the next iOS update. Until then, or if one is stuck using an older version of iOS that cannot be updated on an older device, this vulnerability can be thwarted by simply using an email client other than iOS Mail.
How the iPhone vulnerability works
The new iPhone vulnerability is essentially an old-school buffer overflow attack, overloading targeted memory segments with junk data so that malicious code will be written to adjoining memory segments from which it can be executed.
Thus, this attack doesn’t require the victim to follow a link or click on an attachment to work. In fact, if the user is running iOS 13 they do not even have to open the email. Simply opening iOS Mail with the attack email present in the inbox will trigger the iPhone vulnerability. In iOS 12 or older, one must actually open the attack email unless it was sent from a mail server controlled by the attacker and configured to run the exploit. The received email that triggers the attack is deleted by the attackers after it compromises the app.
The new iPhone vulnerability is mostly silent and non-apparent to the target, but ZecOps researchers discovered some telltale signs of its presence that appear in certain iOS versions. In iOS 12, the Mail app may crash unexpectedly after an attack attempt (whether or not it is successful). In older iOS versions, one may see odd empty messages in the “sent” folder that display formatting errors when one tries to open them. Ironically, this vulnerability is hardest to detect in the most recent version of iOS as it will do nothing visible besides temporarily slowing down the app.
The attacker does not have to send an unusually large email to trigger the vulnerability; a seemingly normal multi-part message will work.
Apple: Secure, but not 100% secure
Apple products are generally seen as more secure than their PC and Android counterparts; the “walled garden” approach to design makes it tougher to develop vulnerabilities and deploy malware, but it also means that inherent vulnerabilities in apps or hardware can go undiscovered for staggeringly long periods of time. This new iPhone vulnerability is a perfect illustration. If the first party to discover the exploit is a threat actor, they can potentially make use of it for years before the rest of the world catches up.
Chris Clements, VP of Solutions Architecture for Cerberus Sentinel, points out that not just this particular iPhone vulnerability but this general reality of undisclosed zero-day exploits needs to be accounted for in organizational cybersecurity schemes: “You must assume that any attacker with enough ability or financial backing has access to sure-fire exploits that can take control of computers or devices running any operating system or application. These exploits are specially designed to go undetected by antivirus, firewalls, or other front-line security controls. They only way to defend against such attackers is to have a culture of security with defense-in-depth capabilities including close monitoring of security logs and anomalous network traffic.”
The iOS Mail application can be disabled in most devices from the settings menu (iCloud > Mail > Off or something similar); it is also possible to just delete the app entirely. This might be necessary on an older iOS device that cannot receive a software update to the most recent iOS version (the iPhone 6 series and older), or may be a wise temporary precaution for systems with multiple users or just to prevent absentminded tapping when a new mail notification comes in.