Apple security flaw exposed: 500 million iPhones may be vulnerable

Apple Inc. is planning to fix a bug that a security firm said may have made more than 500 million iPhones vulnerable to hackers, and that it also exists on iPads.

Zuk Avraham, CEO of San Francisco-based mobile security forensics firm ZecOps, discovered the flaw in late 2019 while investigating a sophisticated cyberattack against a customer, saying it found evidence that at least six A cybersecurity intrusion campaign exploited this vulnerability.

An Apple spokesperson acknowledged a vulnerability in the email software, known as the Mail app, on iPhones and iPads, and said the company has developed a fix that will be rolled out in an upcoming software update. But the company declined to comment on Avraham’s research published on Wednesday, which showed the vulnerability could be triggered remotely and had been used by hackers against some high-profile users. Avraham said he found evidence that a malicious program exploited the flaw in the iOS mobile operating system as early as January 2018, but could not identify the hacker.

In the above case, the hacker sent a blank email to the victim via the Mail app, causing the latter’s system to crash and reset, which allowed the hacker to steal other data such as photos and contact information, Avraham said. .

ZecOps claims that even an iPhone running on the latest version of iOS could be exploited by hackers to remotely steal its data. The flaw could allow hackers to gain access to any information the Mail app has access to, including private messages.

Avraham, a former security researcher with the Israel Defense Forces, said he suspects the hacking technique is part of a series of malicious programs, the rest of which have yet to be discovered, that may have given hackers full access to Remote access rights. Apple declined to comment.

Avrahham based his conclusions primarily on data from “crash reports”, which programs generate when they fail to perform their tasks successfully. He then recreated a technique that could cause a controlled collapse.

Two independent security researchers reviewed ZecOps’ findings and found the evidence credible, but said they have not fully reproduced ZecOps’ findings due to time constraints.

Patrick Wardle, an Apple security expert and former NSA researcher, said the discovery “confirms a well-kept secret: well-resourced hackers can silently infect remotely. All patched iOS devices”.

Since Apple wasn’t aware of the software bug until recently, the bug could be valuable to governments and contractors providing hacking services until then. A hacker program that can attack a new iPhone without triggering an alarm could cost upwards of $1 million.

While the cybersecurity industry largely considers Apple to have high digital security standards, because the iPhone’s global popularity is so high, any successful hacking technique could affect millions of computing iPhone users. Apple said there were about 900 million iPhones in active use in mid-2019.

Bill Marczak, a security researcher at Citizen Lab, an academic security research group in Canada, said the flaw discovered by ZecOps was “scare.” “There is comfort in the fact that hacking attacks are often preventable,” he said. (But) with this vulnerability, whether you have a Ph.D. in cybersecurity or not, you will not be able to eat.” )

The Links:   MG100J6ES52 CM300DY-12HE