iPhone Flaw Allows Targeted Attacks Via Email Client
Published: April 22, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
It’s time to update your iPhone again…soon anyway. Apple is planning to release a patch soon for a critical flaw that could allow attackers to compromise your iPhone exploiting a fault in the native email client on the devices. Researchers at ZecOps found this bug a year ago during some routine testing and said cybercriminals were using it to get to at least six specific targets going back to 2018.
How it works is this: An attacker sends a specially crafted email message to a target victim. It overruns the device’s memory and allows the theft of data from it, after the attacker remotely runs some malicious code.
The best advice while we’re all waiting for the update is to avoid using the default email client on iPhones, especially if you are potentially in a high-risk group. While the specific people and companies targeted so far were not named, the list includes:
Individuals from a Fortune 500 organization in North America
An executive from a carrier in Japan
A VIP from Germany
Managed Security Service Providers (MSSP) from Saudi Arabia and Israel
A Journalist in Europe
Possibly: An executive from a Swiss enterprise
Versions affected include those going back iOS6. The researchers did say that the MacOS is not affected by this bug. Unfortunately, users may not even realize something happened. For versions prior to iOS 13, the user simply had to download email for it to trigger. For versions 13 and newer, no interaction at all was necessary. According to the report by ZecOps, “Besides a temporary slowdown of mobile mail application, users should not observe any other anomalous behavior. Following an exploit attempt (both successful / unsuccessful) on iOS 12 – users may notice a sudden crash of the Mail application.” And that’s it.
It’s not so odd anymore for attacks to target mobile devices. Think about how much information is stored on them. Many of us feel as if we’re missing an appendage if our smartphone is not nearby. So, it’s really a logical target for attackers. Bugs on iOS are historically difficult to find, due to Apple’s secrecy. However, they are quite valuable to attackers when they are found. Some reportedly sell for up to $1 million. Because of the high price tag, some believe that most purchasers are well funded, such as governments.
When you see that indicator annoyingly reminding you to install an update in the near future, get on it. Click to update so you can use your email client again.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org