Hackers gained access to iPhones through a sophisticated security flaw in Apple’s built-in Mail app that Apple has yet to patch, according to new research from a cybersecurity firm.
Cybersecurity firm, ZecOps, began investigating after finding suspicious lines of code on customer-owned iPhones. Customers of ZecOps, a two-year-old cybersecurity firm with offices in San Francisco, have their employees connect their iPhones to a computer or kiosk that uploads data logs to a central server, where they’re analyzed for detect any suspicious activity.
Zuk Avraham, CEO and co-founder of ZecOps, said the code stood out because it was not found on many other iPhones. Avraham and others at the company investigated him for months, eventually discovering that he was logged into a previously unknown Apple messaging app. He alerted Apple, which is fixing the flaw, he said.
Apple spokesman Todd Wilder declined to comment.
The discovery of the flaw sheds light on an issue that has come to the fore more and more in recent months. While Apple’s marketing claims its iPhones are more secure than the competition, its mobile operating system called iOS is particularly vulnerable to sophisticated attacks like the one that hit Amazon CEO Jeff Bezos last year. . (Bezos also owns the Washington Post.)
Like the suspected attack on Bezos’ phone, the hack ZecOps says it uncovered is called a “zero click” attack. While less sophisticated attacks require the victim to click on a link, usually in a phishing email or text message, a zero-click exploit does not require any input from the victim. In this case, the perpetrators can send an email to the victim containing the malicious code. This code can then set off a chain reaction, called an “exploit chain” that knocks down all of the phone’s defenses one by one, erasing its tracks along the way and making it nearly impossible to detect.
Avraham declined to name the clients he said were targeted, but said in a blog post on Thursday that they included a Fortune 500 company in North America, a journalist in Europe, an executive in Japan and others. .
ZecOps still has no idea who might have been behind the attacks it says affected its customers, but Avraham said in an interview he believes the attack was likely state-led. -nation or entity with deep pockets.
Apple makes it difficult for security researchers to find bugs in iPhones, reducing the number of people able to break into the operating system and simultaneously increasing the value of exploits, which are sold on the black market to the highest bidder . These bidders include nation states and third-party security firms that help deep-pocketed entities hack into enemies’ iPhones. Once an exploit is successful, Apple’s locked down security makes it nearly impossible for victims to know they’ve been hacked.
The obscurity of iOS makes the job of companies like ZecOps extremely difficult. Even with the ability to analyze the logs of its customers’ iPhones, the company is often only able to theorize whether there has been an attack, with more or less certainty. That’s what makes his most recent discovery so rare. He was able to reverse engineer suspicious activity and use it to uncover a real, unknown security exploit.
While the hack raises questions about whether iPhone users should use the built-in messaging app, removing it can create challenges for users. Even if an Apple customer removes the Mail app, there’s no way to replace the default Mail app with a competing app, such as Microsoft Outlook. Deleting the app may cause loss of functionality. For example, clicking an email link will no longer work, and users will be greeted with a message from Apple asking them to redownload the Mail app.